From 209b479d6ec80d5e11e53a1d53cec529696e95f7 Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Fri, 13 Dec 2024 13:04:20 +0530 Subject: [PATCH] deprecate kube-rbac-proxy with controller built-in auth protection Signed-off-by: rksharma95 --- contribution/vagrant/Vagrantfile | 10 +- deployments/get/defaults.go | 5 - deployments/get/objects.go | 150 +------------ deployments/go.mod | 18 +- deployments/go.sum | 35 +-- .../helm/KubeArmor/kubearmor-v1.3.8.tgz | Bin 0 -> 16649 bytes .../helm/KubeArmor/kubearmor-v1.4.0.tgz | Bin 0 -> 34161 bytes .../KubeArmor/templates/RBAC/bindings.yaml | 27 +-- .../helm/KubeArmor/templates/RBAC/roles.yaml | 29 +-- .../helm/KubeArmor/templates/deployment.yaml | 24 --- .../helm/KubeArmor/templates/service.yaml | 16 -- ...erator.kubearmor.com_kubearmorconfigs.yaml | 43 ++-- .../KubeArmorOperator/templates/helpers.tpl | 2 - .../helm/KubeArmorOperator/values.yaml | 3 - deployments/helm/kubearmor-1.1.1.tgz | Bin 0 -> 12229 bytes deployments/helm/kubearmor-1.3.1.tgz | Bin 0 -> 12496 bytes deployments/helm/kubearmor-1.3.2.tgz | Bin 0 -> 12574 bytes deployments/helm/kubearmor-operator-1.3.2.tgz | Bin 0 -> 4816 bytes deployments/operator/operator.yaml | 55 +++-- pkg/KubeArmorController/Dockerfile | 6 +- pkg/KubeArmorController/Makefile | 4 +- pkg/KubeArmorController/PROJECT | 6 +- pkg/KubeArmorController/{ => cmd}/main.go | 117 +++++++--- .../config/certmanager/certificate.yaml | 21 -- .../config/certmanager/kustomization.yaml | 8 - .../config/certmanager/kustomizeconfig.yaml | 15 -- .../config/default/kustomization.yaml | 199 +++++++++++++----- .../default/manager_auth_proxy_patch.yaml | 39 ---- .../config/default/manager_config_patch.yaml | 20 -- .../config/default/manager_metrics_patch.yaml | 4 + .../metrics_service.yaml} | 2 +- .../default/webhookcainjection_patch.yaml | 6 - .../manager/controller_manager_config.yaml | 21 -- .../config/manager/kustomization.yaml | 14 -- .../config/manager/manager.yaml | 26 ++- .../network-policy/allow-metrics-traffic.yaml | 26 +++ .../config/network-policy/kustomization.yaml | 2 + .../config/prometheus/monitor.yaml | 12 +- .../rbac/kubearmorpolicy_editor_role.yaml | 4 +- .../rbac/kubearmorpolicy_viewer_role.yaml | 4 +- .../config/rbac/kustomization.yaml | 25 ++- ...proxy_role.yaml => metrics_auth_role.yaml} | 2 +- ...ng.yaml => metrics_auth_role_binding.yaml} | 4 +- ...sterrole.yaml => metrics_reader_role.yaml} | 0 pkg/KubeArmorController/config/rbac/role.yaml | 76 +------ .../config/samples/kustomization.yaml | 5 + pkg/KubeArmorController/go.mod | 81 ++++--- pkg/KubeArmorController/go.sum | 194 +++++++++-------- .../handlers/pod_mutation.go | 2 +- .../kubearmorclusterpolicy_controller.go | 0 .../kubearmorhostpolicy_controller.go | 0 .../controller}/kubearmorpolicy_controller.go | 0 .../controller}/podrefresh_controller.go | 0 .../controller}/suite_test.go | 0 .../v1/kubearmorconfig_types.go | 2 + pkg/KubeArmorOperator/common/defaults.go | 8 - ...erator.kubearmor.com_kubearmorconfigs.yaml | 44 ++-- pkg/KubeArmorOperator/go.mod | 30 +-- pkg/KubeArmorOperator/go.sum | 75 ++++--- .../internal/controller/cluster.go | 7 - .../internal/controller/resources.go | 6 - 61 files changed, 685 insertions(+), 849 deletions(-) create mode 100755 deployments/helm/KubeArmor/kubearmor-v1.3.8.tgz create mode 100755 deployments/helm/KubeArmor/kubearmor-v1.4.0.tgz create mode 100755 deployments/helm/kubearmor-1.1.1.tgz create mode 100755 deployments/helm/kubearmor-1.3.1.tgz create mode 100755 deployments/helm/kubearmor-1.3.2.tgz create mode 100755 deployments/helm/kubearmor-operator-1.3.2.tgz rename pkg/KubeArmorController/{ => cmd}/main.go (57%) delete mode 100644 pkg/KubeArmorController/config/certmanager/certificate.yaml delete mode 100644 pkg/KubeArmorController/config/certmanager/kustomization.yaml delete mode 100644 pkg/KubeArmorController/config/certmanager/kustomizeconfig.yaml delete mode 100644 pkg/KubeArmorController/config/default/manager_auth_proxy_patch.yaml delete mode 100644 pkg/KubeArmorController/config/default/manager_config_patch.yaml create mode 100644 pkg/KubeArmorController/config/default/manager_metrics_patch.yaml rename pkg/KubeArmorController/config/{rbac/auth_proxy_service.yaml => default/metrics_service.yaml} (92%) delete mode 100644 pkg/KubeArmorController/config/default/webhookcainjection_patch.yaml delete mode 100644 pkg/KubeArmorController/config/manager/controller_manager_config.yaml create mode 100644 pkg/KubeArmorController/config/network-policy/allow-metrics-traffic.yaml create mode 100644 pkg/KubeArmorController/config/network-policy/kustomization.yaml rename pkg/KubeArmorController/config/rbac/{auth_proxy_role.yaml => metrics_auth_role.yaml} (90%) rename pkg/KubeArmorController/config/rbac/{auth_proxy_role_binding.yaml => metrics_auth_role_binding.yaml} (79%) rename pkg/KubeArmorController/config/rbac/{auth_proxy_client_clusterrole.yaml => metrics_reader_role.yaml} (100%) create mode 100644 pkg/KubeArmorController/config/samples/kustomization.yaml rename pkg/KubeArmorController/{controllers => internal/controller}/kubearmorclusterpolicy_controller.go (100%) rename pkg/KubeArmorController/{controllers => internal/controller}/kubearmorhostpolicy_controller.go (100%) rename pkg/KubeArmorController/{controllers => internal/controller}/kubearmorpolicy_controller.go (100%) rename pkg/KubeArmorController/{controllers => internal/controller}/podrefresh_controller.go (100%) rename pkg/KubeArmorController/{controllers => internal/controller}/suite_test.go (100%) diff --git a/contribution/vagrant/Vagrantfile b/contribution/vagrant/Vagrantfile index 1879801d89..2fc72041fb 100644 --- a/contribution/vagrant/Vagrantfile +++ b/contribution/vagrant/Vagrantfile @@ -22,9 +22,12 @@ else # ubuntu elsif NETNEXT == "-1" then VM_IMG = "generic/ubuntu1804" # bionic (4.15) VM_NAME = "kubearmor-dev" + elsif NETNEXT == "2" then + VM_IMG = "generic/ubuntu2210" # bionic (4.15) + VM_NAME = "kubearmor-dev-2210" else # default - VM_IMG = "generic/ubuntu2004" # focal (5.4) - VM_NAME = "kubearmor-dev" + VM_IMG = "generic/ubuntu2010" # focal (5.4) + VM_NAME = "kubearmor-dev-2010" end end @@ -62,6 +65,9 @@ Vagrant.configure("2") do |config| end end + $default_network_interface = `ip route | awk '/^default/ {printf "%s", $5; exit 0}'` + # Specify the interface when creating the public network + config.vm.network "public_network", bridge: "#$default_network_interface" # forward port for debug if ENV['DLV_RPORT'] then config.vm.network "forwarded_port", guest: 2345, host: ENV['DLV_RPORT'], auto_correct: true diff --git a/deployments/get/defaults.go b/deployments/get/defaults.go index 5b623b32ea..aef8d1bdbf 100644 --- a/deployments/get/defaults.go +++ b/deployments/get/defaults.go @@ -27,11 +27,6 @@ var ( KubeArmorControllerClusterRoleBindingName = "kubearmor-controller-clusterrolebinding" KubeArmorControllerLeaderElectionRoleName = "kubearmor-controller-leader-election-role" KubeArmorControllerLeaderElectionRoleBindingName = "kubearmor-controller-leader-election-rolebinding" - KubeArmorControllerProxyRoleName = "kubearmor-controller-proxy-role" - KubeArmorControllerProxyRoleBindingName = "kubearmor-controller-proxy-rolebinding" - KubeArmorControllerMetricsReaderRoleName = "kubearmor-controller-metrics-reader-role" - KubeArmorControllerMetricsReaderRoleBindingName = "kubearmor-controller-metrics-reader-rolebinding" - KubeArmorControllerMetricsServiceName = "kubearmor-controller-metrics-service" KubeArmorControllerWebhookServiceName = "kubearmor-controller-webhook-service" KubeArmorControllerSecretName = "kubearmor-controller-webhook-server-cert" KubeArmorControllerMutatingWebhookConfiguration = "kubearmor-controller-mutating-webhook-configuration" diff --git a/deployments/get/objects.go b/deployments/get/objects.go index 6e9a28550c..68f61e6754 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -475,32 +475,6 @@ var KubeArmorControllerLabels = map[string]string{ "kubearmor-app": "kubearmor-controller", } -// GetKubeArmorControllerService Function -func GetKubeArmorControllerMetricsService(namespace string) *corev1.Service { - return &corev1.Service{ - TypeMeta: metav1.TypeMeta{ - Kind: "Service", - APIVersion: "v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: KubeArmorControllerMetricsServiceName, - Labels: KubeArmorControllerLabels, - Namespace: namespace, - }, - Spec: corev1.ServiceSpec{ - Selector: KubeArmorControllerLabels, - Ports: []corev1.ServicePort{ - { - Name: "https", - Protocol: corev1.ProtocolTCP, - Port: int32(8443), - TargetPort: intstr.FromString("https"), - }, - }, - }, - } -} - var KubeArmorControllerCertVolumeDefaultMode = int32(420) var KubeArmorControllerCertVolume = corev1.Volume{ @@ -536,8 +510,7 @@ func GetKubeArmorControllerDeployment(namespace string) *appsv1.Deployment { ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ "kubearmor-policy": "audited", - "container.apparmor.security.beta.kubernetes.io/manager": "unconfined", - "container.apparmor.security.beta.kubernetes.io/kube-rbac-proxy": "unconfined", + "container.apparmor.security.beta.kubernetes.io/manager": "unconfined", }, Labels: KubeArmorControllerLabels, }, @@ -547,37 +520,10 @@ func GetKubeArmorControllerDeployment(namespace string) *appsv1.Deployment { KubeArmorControllerCertVolume, }, Containers: []corev1.Container{ - { - Name: "kube-rbac-proxy", - Image: "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0", - Args: []string{ - "--secure-listen-address=0.0.0.0:8443", - "--upstream=http://127.0.0.1:8080/", - "--logtostderr=true", - "--v=10", - }, - Ports: []corev1.ContainerPort{ - { - ContainerPort: 8443, - Name: "https", - }, - }, - Resources: corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("100m"), - corev1.ResourceMemory: resource.MustParse("40Mi"), - }, - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("100m"), - corev1.ResourceMemory: resource.MustParse("20Mi"), - }, - }, - }, { Name: "manager", Image: "kubearmor/kubearmor-controller:latest", Args: []string{ - "--metrics-bind-address=127.0.0.1:8080", "--leader-elect", "--health-probe-bind-address=:8081", }, @@ -765,100 +711,6 @@ func GetKubeArmorControllerLeaderElectionRoleBinding(namespace string) *rbacv1.R } } -// GetKubeArmorControllerProxyRole Function -func GetKubeArmorControllerProxyRole() *rbacv1.ClusterRole { - return &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRole", - APIVersion: "rbac.authorization.k8s.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: KubeArmorControllerProxyRoleName, - }, - Rules: []rbacv1.PolicyRule{ - { - APIGroups: []string{"authentication.k8s.io"}, - Resources: []string{"tokenreviews"}, - Verbs: []string{"create"}, - }, - { - APIGroups: []string{"authorization.k8s.io"}, - Resources: []string{"subjectaccessreviews"}, - Verbs: []string{"create"}, - }, - }, - } -} - -// GetKubeArmorControllerProxyRoleBinding Function -func GetKubeArmorControllerProxyRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { - return &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRoleBinding", - APIVersion: "rbac.authorization.k8s.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: KubeArmorControllerProxyRoleBindingName, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: KubeArmorControllerProxyRoleName, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: KubeArmorControllerServiceAccountName, - Namespace: namespace, - }, - }, - } -} - -// GetKubeArmorControllerMetricsReaderRole Function -func GetKubeArmorControllerMetricsReaderRole() *rbacv1.ClusterRole { - return &rbacv1.ClusterRole{ - TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRole", - APIVersion: "rbac.authorization.k8s.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: KubeArmorControllerMetricsReaderRoleName, - }, - Rules: []rbacv1.PolicyRule{ - { - NonResourceURLs: []string{"/metrics"}, - Verbs: []string{"get"}, - }, - }, - } -} - -// GetKubeArmorControllerMetricsReaderRoleBinding Function -func GetKubeArmorControllerMetricsReaderRoleBinding(namespace string) *rbacv1.ClusterRoleBinding { - return &rbacv1.ClusterRoleBinding{ - TypeMeta: metav1.TypeMeta{ - Kind: "ClusterRoleBinding", - APIVersion: "rbac.authorization.k8s.io/v1", - }, - ObjectMeta: metav1.ObjectMeta{ - Name: KubeArmorControllerMetricsReaderRoleBindingName, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: KubeArmorControllerMetricsReaderRoleName, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: KubeArmorControllerServiceAccountName, - Namespace: namespace, - }, - }, - } -} - // GetKubeArmorControllerWebhookService Function func GetKubeArmorControllerWebhookService(namespace string) *corev1.Service { return &corev1.Service{ diff --git a/deployments/go.mod b/deployments/go.mod index 912db514ad..76bca4c5cb 100644 --- a/deployments/go.mod +++ b/deployments/go.mod @@ -1,8 +1,8 @@ module github.com/kubearmor/KubeArmor/deployments -go 1.21.0 +go 1.22.0 -toolchain go1.21.12 +toolchain go1.23.3 replace ( github.com/kubearmor/KubeArmor => ../ @@ -14,14 +14,15 @@ require ( github.com/clarketm/json v1.17.1 github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20240110164432-c2c1b121cd94 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240110164432-c2c1b121cd94 - k8s.io/api v0.29.0 - k8s.io/apimachinery v0.29.0 + k8s.io/api v0.31.0 + k8s.io/apimachinery v0.31.0 sigs.k8s.io/yaml v1.4.0 ) require ( github.com/fsnotify/fsnotify v1.7.0 // indirect - github.com/go-logr/logr v1.4.1 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/logr v1.4.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect @@ -39,6 +40,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.18.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect + github.com/x448/float16 v0.8.4 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect golang.org/x/exp v0.0.0-20240110193028-0dcbfd608b1e // indirect @@ -49,9 +51,9 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.29.0 // indirect - k8s.io/klog/v2 v2.120.0 // indirect - k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect + k8s.io/apiextensions-apiserver v0.31.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/deployments/go.sum b/deployments/go.sum index 9ca188499a..765bf80f33 100644 --- a/deployments/go.sum +++ b/deployments/go.sum @@ -8,8 +8,10 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= -github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -42,8 +44,8 @@ github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdU github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= @@ -64,10 +66,13 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= @@ -122,16 +127,16 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= -k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= -k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/deployments/helm/KubeArmor/kubearmor-v1.3.8.tgz b/deployments/helm/KubeArmor/kubearmor-v1.3.8.tgz new file mode 100755 index 0000000000000000000000000000000000000000..450095a1d9f30a13f05674b657be3feaa13c4534 GIT binary patch literal 16649 zcma)kV|3)*vust9JKV z{d=mOUDX5;P-sB^yuK)bsP)9;=?%oBeoDHrv*^X)0S!`AIe*6PARULE&pJqzbq z(8%vV7HC@_*`}YjKD^+*E^%OZoMGQ#70HT5MDk}%9a(?CYmzhdaOrzGHVkMYEVIE7 zY&zh?4DSbYa(}pR;V*whKV`)bTwLOv$LQdnU&K7&N4e;n<9B!l4n0YUDM$nkyw5&Q z87)#jL5j1H6ZpdR9fMV7A==_%^16i31y@4=LuDtZp1On_S0jmxsMPr%MdoKSz3@k# z5@h&;F{su-k(*K)(U9lQ`i~efetV_CK?f<$L0p{oeTH%2-I=8^td|Rf#)HQcn!;+w z)g$5ymm9&b#F`)cI($C$7)8aBttc6(g*)H~hVHY&MIk81fmd!^^S*d|o-5tCh6#ZV zoz4Ynd;7ZlybJjA@Y(&;_wYp*kDqUlvQL^g($Iam&?*ZDdD>2(k6;?a-dm3Z77sTG zG+4F_9x6LJlSYOs9=eD03#q@?w+?8)@EXf)#Kch=<5Z0-$6?582bDSE&k1Lithl1+ z1N)8Yt33S|%7Ktq$2Gg&Yj>`DI*9Hi-FH(+(ca!I=~rv=Kd24$5OJM7b`{i&n2S#! zp4q}TU>CAY^Ww(AdJ)PZWaMbBGeWkXwfCyzTS(?(*5#3z&L8&ISazyNL@zj#f*nW! z!Xw6PTv9r}AGQsIj>LQwrAp8amL5{>jp@exb2xk^i*a&fhaTGea zNPn9R^%^9x@HtEo2eP;g$Ouf75A?G{?;$1fhtqe1VTY_hGKhh_EACFjMEU^X(0{69 zGV?p&!eGHMLLesMQp6$F$v_QeOp2EnYOn}vpP?jlGQVAK`_ED>SV$OR$IB9z?|@>5 z2irrsWhp@2sPl6vTbcHV03)B;Kr^Z68gZ@R68Fmsw*L+SItnb)rkO>D7Tm06pYU^l zYOo|Ekz@~XQqGE4nvxDLSEp1!*h8vk7MuW!t00aF7Lx(e0lpF-xe@UB?aIKf-ao?s z?V1_7pAt5#d&*p+BQ>Z08m2mED#M2pG&=w-xERW9gbiMx+dG7Wf@I8hwz?Z$v0BS8 zCdT3EkkQ3II4}z2C?amU1hE#4WS5ReOh5n=zaq4nD>e?r`9u%LH9n}PQG;;~i`x-8 zd^ovgOT5&e)?fCv$>G++zkhO+1zFxOyAdHf2k(Q`1Nx5r+1}rItCmTD$Fis`?ibxw zZGy!$YN-Qy;6|rA18heM>QI=b2Loj2UPbWgSw0f%jkJT;Fp?J*7}RmNtq4g@ouP*! zBrhkg_t!W(%&I>BF>&%O6LyVImtL8avt##asTU`l-}q9s&0yYhK?_n*CvFwl@UUV+ z3055{BSFY7@`EWG@Sd}0dMGw1JzeMQZrtdQ{atGq5yvVa?%F3NqZcR(J|fES)nSH}NFfYxlKLn|wH=%@0=!FY!E-cMzcD z+-{Xw&3H*P&Sxaoh?vUOIj*T9DAo@XY4A$I77==A{2)rIYArt;vx?SRJb`;tI5d!I za#f%wb-5kk`Y?S8y4BXKG2eA4yi=;J4-DiVH1`-=ziVhW+1G+@K;;keD8I3F@nOSn z@ZV1JaU;QHpkjv=+zEHlz$5!ow`ki7DAN=3thhFbL2Y<5DrgiEp-Zh?81^q)y$eSv z%?uF7^k*m6>jNHCOUOA_S|Y8+OuTXTDM^^wEaNOvbNR%=-&AofFGJz|9?{J96GnM` zkw6?uf!wf9&)*isbn>@1XCFgWT&x&K9{dsB2=x$MGf#CWA;*<_UPT+C09QVQGJ|HT z;h$eq1&Zi25bDTXOP6bC&)CnX4drcJ%)U9>9axAEF)C}_^q-M@DG(za$iha=Ec<_s zLnwNX7|I})z1nhFJQ7Z@9F1S{1hb7f=ygcP^e_b-A$&iTdR(_q`kr-!G4C*n=ku?0 zxP08MZ@-;e9q#sj_xJ=6FsSz0IKO*a@m#`RkUN{v9bcrr@7bOGh(`3xc)hvE_aEw8 zhk$bO)X`UswSS2Iyl!gW8pa%YohMw>D^tuCmNPczE`Z2vQ-fHHB&o&7|3x;xOW~_l zH`1L>7Gu!Yt3p*WXRS}ml`uM=$`xcOoA$9Vv&vbM|jz{<*_gfDuv1|F*bvlMk z7dpV4+V{SbrXADpKGu=KcZMd*q(auq)=Tmk%&Vhx!5kx9+ra!$rKgRF=o@5Gs3?t? z0Fu>2IkHta?C8X=JEME&-w9AWC>vLcd|^9TJ6%KNaL;AOrSN@nmkqSHw$09Tm@{)T zT9YZ0ncoVNrXyJQRn$YiJ1X`>ohqCxGDcKqrG`&;vr^>p@i#2cP_OndqZ@VIQ;5)+ zs-6x*e?zzU*2q!%zGRQnF4{_iF&_W;srR~1`}zxe+8OiY7$gd=bg$ew$STfe;I2_+ zqN`Go@pSce^Y}ibKYuoI#&>4Wiv~*L(dV3d+eb~~i+g2#-QlcThdAlU=NkJlge~sZ z(5O$tAFdA1Lhggb%boZcUH|AlA+eoenm~d`UpV4ewjLDLsZ1=}DFLxVvz#m${&Gs( zglx87d(rWbP*&(0T2p+aOoznbqdmXwvVe7v2@t$=PO>h}Pre}=5Rf15i!yTsA=UWq zwx6@KwPL$wu|9X4OBDBaBh5ESyn!tp!ba&N_?7h_8b3+&XKcv==ccDmPb{ya&Sr0Z z*e+}6wIlOX!e0ixODkD}8Z)~KDI$fPTB*Q>I zt$}1$*KZW}h4b0(!Nz>^doP2ZLS5;(NcJ(Hoqb+4T0U z8cy$)DBL!Kye$LHDiqZs8>GWU)=w(Aaq@!VE}b}fV~f;497+;PI9aR|)sV@Lwz9r_ zgsr5;e~Pfxb1hASpjbTI2Gqqud5m=3yGiD<`s>z1yC=0-pxneWB>d%TxK+Fw_q>K& z`AjG8s%P`d?_SKz^ua6S71lPK;O43ew!L!x z4Oy~uoY=y?@j%UneNorem_?@C)vZbvt2GVYSiB8>(UzLMyVM5KL;MJ4>`IpHxxCrF z+q@YMczw3{D%ALTAwIFgZwet5{6u;GC3FOJ28=}vGKdQ%8&(ynd87e?gz;kR*E<}e z-Ik4TK~u{nsV6;m#W~X6I?K0x!jG5c83P5sg9AU?^8C{T8h(Mb6PVs-nn8>2_xyal z&?!qQ$uk~&lpUUNK~835PbS(DU-3xy^4TyM4PQV<&aDHC&KENlmk4Z54|+4R@S2;f zH+&X91y#lf&~`1*lza;-PQ?I{ow)voypkuRgHNkM^$S@=cJ7rUUknIN-aS()i8)X5 z?8XM#8-9}i*Ym9J#)c_v*4}E)HYz!A(&_RmTZx32wom=9S`=D!go-N0e4&IbZS4j5 zh$J_S8ZyK`>7FrJ^wGgD5m$_yicxl+>Qm_#O$+B#9~1nf+6O6%cP@eskG*>M@7g;| z{>riq3bFVO0*AO4@8Xi5q|OrbMmUaot%ONr?IS#G;K3MSlfn&a>Xcv9yK&T=lii(_ z%EDNDLtE|+N}T#zuPb*LvkbCb-AHEkGaO#auMr(9)w#RQY_dSjfjy0te3DE14y-3{r?TqY_n7ihhljug-oENy$YF= zJ{2kUPEi?ea$X^671fK-t(ofhOE~&kTT2+Bx3^1~b~1W5mX#qIDTLbd|FV!Xr|l$& zmnWZxKYTIn@Lb-d--b(-*_`0p(@RQ`?{O7i!9%N?OwbF`Q~te~oAoq!r$X5z2}1>k zJlG}LdDyLPJ!*+I<>x=n;tfHyx^0KntIwiBL(T@ z>WkDRT)>bb*zDX>bjecV>q))a3bmvrvBxrHF6zsxrZ9&rlDtp2(Pyh@U3)pf_Zj8l zI6KM+tGwA@3lqsybUik6B85wsm6d|-)vlBywa$iLt4X7h9)<1{om#Yx0@-F%-8V@C z_qYrfR9EqIy8GSM-u3nI<7BY?Y54mU!gf~T&vFaa7tyJ_)2=UeKYFp`&E~Ci?#eQ1 zQ;oRb=>`n<=f?v}cUMQ=LgO;?l=5@jpQO||gae87*oksIPP1lGw`yp5I12`NB1{6J zOfYcN4n82go=CNALt&#H&^{i!#eVn^w~(V;eA1;Qe9;<_CyM#^8$jK> z!g-2-GVnw0+dBf=_W8fBU$!*KxofZwMUG1xi&mu+MUF$y#fb`+h?UjHU?tgVK_iJT zq8ITKIj^STm4@@lBw{Kx7eEYU%-uH7#JnK?P;f{QOWGyJ-;r`2;5*dtzUKQ~KZng& zR>vd}z9mQ7$xlgqkSy>{4wWm>$_9m_nm3e9I|a3tI(U~U0bB+@B|YWi=GF0WTU?Yp zpWknGak1W?AJM3A%W3gFVI?o@@O8lKqU*vbQ!un2EzCi91wJ<_Ik za#l5L?R(mnYRWrgTb{bZ-|@?Q1CAj1J!h?sN^B8S7jG}Q)W#BiwomhuywYYtb~`cp zyYXd3Y6je|arzxI#Hn#vN2bnE(K0qGtH^S9#tVi}DWOMM-I!ULtmK#C(8Xcu0)>=y zCA|*6w&lc;+|}1v3MQt*BUxpY6YfA^WF|$StuB9HbTt{NWOHv)&5>^8)^}>uTP=M2 z2IlT6tZtg1&6Fp=SCHiLGy$&EnGbRGrOl-vHBH+wuhA9*{%VX__XkQOzjc$MXvF?3 zF4E5HmPt%Dnc$Arl_6XS*WY9 z#c6GJt+R(p2vTL`AvT@usP{31A@RUw=N2XljN(JXpkbh;stC47HaFqv~yzZX6BrA zED&%uVejh$kmA0BjO_=iZ!_!u)5o z=lCf%9)wNU*Qyu8R`?e|`-hGWxzeT23ZCIvrj$uv<2eWmof}-W9A~5x#xJ$gL z9_!BT-fs+w0VI^gLF)%L;!|)t zsNo(KRQ?}Q5F$G?86>GbTMhAry|iFjIfd2F#GtSQo2bgUG;$@iwzii_!IOfw2DXWx zqynEC!1uug^;vc)wzy5Gm3{;9b}v;FTY_Dolb8aS;-PM^Ai|N?sW>ZzgXyX;adz8+ zY*3Ehc5Tao<9cEiYJ88#J~Zgfmk>f;c>F6duo8#ELn177je-;ToyoPqQ@3FJoNSd? zTwauZs>!R*v$6#p99hPaSFAeM=Wdxf+v7PPwGAct*HM;epcye%Im4fQkO{p!(qVvd zXLNmD?^WEYzu*TGZf)Aq-7s zUx|otVE9{XXpq7eJ&=SS1OMnVUhFz)oVAbPhWSL1x=Ig?YihsxbAvug9t9_%Vd&Tt zxR53hcZa#WRJhmlLBj6O{lPgG;>TQ++@G!^k2pCrsT?ekV_a7p`%$$5I}mt%krHOi z^W%M83o&8Fh)~6gPY)1*vL>87lFHGCByNsJI;^~9G`wA?K9WO!uS*Eo42&#&%Wm?L zs}&m1Z&gVu)qAg>#rSwHG!Wf$ejrGJ)X2%I{-;=Y^h%b2=Ft>3W@(yCOhKl3+^$P)h>7l?0IdhRL&xxsx-I zlDj+U6+Sf%64!!bD9xlLcVhS+VrnD@F*`+(Ky%JWnH=ea*~{>I3`24T)n~Non7rpx z*f}WZvlkc=6D09#fVpjJ~{B4MJ2LCh5fcLolAgEA|YQiF8XSIT8FDH_X26Q?8xe45B|{|5a{VID7)Xql)T*_*V~1OQC}BbDEI2;wtAlkgzF?QK2}yCG1Y6 zEeajSw}ueIdrMT#@+6h~2}cb(ZE>bXU)A)^^zf;oriJ=;H!FAxGkFbzCRPIzQ1$ex z2rayhtu3>_E{1GkPUx*xw9YmkKAens;-sivmvo;`1LpT}UXiIsrFnwYM>A2$Yy_J@ zW&;{9&Fl#ZdGD!rZrxkdA0uU=50)hvR^9bhh+-O2m*xveU0M3Aj%jO@Qm{MCWz1GI zU9=7!vpzm)Yo*Ja<;!zYw3EkI6*@^k?C9(H`~*ebGauVdFE-`l^T7ni^IrsB6Yhd;hQcetq)_`6nk?}aSEJBA9PqRYo6Y5l5-Nd%bDx1 z;)iFoDDYmPZ8S-5Ec$VB*r*JnTkP)Fn7I{;(!FHt*H_cG)lA5zE_kF|^NCP%n@EnS zT4h1CZS%`sArB`ohGbc1DH_9OZz;8I{27QpQFKAmOrH{dO*6t(<#X&v01qCV+1$Xt z6(qMb4II$w%i%lX*6qWmXMkN_@`GUp(gFnrM@_v`;dqv>~V#jTA+afj~`r7=&S@a>KC;J-bMEBUC>=Y-#z12FPhZOzG)#=x0Ebc~k44 zM@$mez||hoR@TP&Ku0U^R&^-5D2cP_b*M)1}jq%?&)o0vptO!NmsM z)Vpem&>10ixCx~chFY8`$sn17m@EuvUqN1p@_*hQO_(<*bL;NlyeC!Cv|MIv%m)LZ znlVu%51itXdf`C4mWYL>NUcI0=MoPx!c<5HtFBOn4+y9ha-+aruAiHcVmP<`;c4tw zJu-|kF=h3=1NyZADy_2>QfYnF@qGit5NPpCL%rvn`rH18(Oa6CvstRRv7q+8SFfx94>J#wXu*C}Us$U-upEzQ&H?X`Lo+Z8` zT$O_?e*8$8Cb}l^bzd3wvj0r$B%bVoTBn`YUPxxez$IIy@XKqFvSbAQ57q3wS6y{q zFitA)#fY*Nm9W~)QAJr;YgP^Ud!mS^l6;6W;VvH68ST~OQkHq(mKqvFhGgnF(JWj6;2Gd(EW_G$7BpKO^srw+8`4GzLe zIv9s(ztC$`*0*CwevL+T1=V^B)q1vmCCm1%>pAooav9Th3o}-5KzXM8{4?k7GpBA? z$PDqzIZLcPYV4hoYx&R4)7?47$1cD2NFmQTnnRB=c$ru&2Xdem7$K=i(;T!yL0{Q0 zX)cv|Hi1>h9m7Lz$Yq=Gpy1GtglFPw>~_+n)#sF;-Jn{M4?ZK;-iq;D2<50Ncc8Pv z`3QFCUE(3wGe`NK3Km)pOSc04u()6wUB($(O)Cnuu%Y)zOKm^sS*aV9^&j^1yMyU- zO5YY?o$WYPy|}FP@9N-M>@Y07!|mTZm(4?0|qw%BJ5NvkAx3_>>-oFXQXo=5WVRkN|mXy7q|Mp%F({OUde*lRY@h^{4BJd~>TH!!0#yoN7 zlfzhfT0U7M<4l=FQD%ctafg_JF?G*HpP*5HRF`O&)=6{f!#7Gx>f`B%c&%BnWU9B3 zV_qLYu+-&lVkB3jsdd^pcB$72t|p5+WyPV|E_jzyOjj9BVCa{q}7O_h;YIhi+|ZT~oAIVrNV2xqg@#QeRNxRau(O#8T&O z)K&IW!_$oRV86~DlC-X_$ESWE|)Ype~U2v5rwqGYORbr6TWG1f6CCY&YOHOPI>etA?r zlKPtlvwwf&&poC8$@4~|{nUIXVxr#c^UbZ%U#ssm&txVzcrmyEaVKN_<6Bsv6;)zQ zM9Y;W5$3hW_mTckW66EsY4rf;I9O9wNUVzE$W0;4@BwEkJF?SeSf&K#nzm zw4f)zXA0*4{k0NDV8;u>AHGxIGp#@z0VDr3Z6JR~Z5=|Ge9M8;;4_DO|0RIQXVQBB zax6g)&%<*4i@C)EGi@BOWnXow)Isa}7{t@)I1$L~|1t^3+cYv5_wct$$vi9=OXJW4`aEzZ7 z5%_f@;hdmO`SAsFD-#72lQ#p{ zm2D!wHVTg9%vAIzatQRW-s`*xGoifBVz~E*l`c&14ybKhx2Ge)31cd-vL?a5_vs|r zkopa1H?~pv*Z5;t|2N-2VeprS#uX%!v_lFc;VvG9)f_!Td4d1C{l!)0rfdb zBb4#IJiTnWQ8g@(Ck(z2i6diZXwV%TH|2YCu8nV0L6w=``;OVe_{4ArQH4;s3G#5; zpvQuoM*|m7hrtHuHP8r-vO{?3quvvUz>%4yqkGrN2-M z0U;Y)OY$(AXnt8@f+ZjnS3_B)38Ko+ zhGMv@cS#p!|AC4?f{QAXAl(>_BhtIS;s4dzE534z-{AgF5R03L^gn}GTqEJLp%Mq3 zyUr1caB^8V5=Vp$=Dm!1v3)R{fk@d>pJyV!N-Ia>e7_M47ex*D*|?=uQwWMMr9TM4 z$1K94Z2s3!u+Qi4Ic&6CgDc)rvOig!cB}|~HUiOJEY1W?>t9oMeh1=r9d)r{K~OVy zQHt{4a8^o}alW3>!>TJUdJ>%z~z-iugj)bkND$KF$S^>yw+3Lm*kIPdjHO z`7v^XuJ<~6p0N}|t~<%4zs*VqZ~VYKzC$6N%UD_MBZg9lXz#Vl#PK~MN_%B9&==gY z#+;3bA)Tifp|R{qbCHwELFQw|i1&g+r&vY9J7_)(f51%O$@N_35AF)>$Y~bhukpHx z@Iu*52Lq$DHIotfk|j6B1b4Ba&PgRIACcALroE1MV{>pyu&v2Z{)i`Zz<2T zt$4$MXT2479PVaN`=R$4cD(Ep9VvgpA&W#GcCQQsm$#6<~NlcqwA&LQ>a` zyh>>QR|b~t?~t8t7O**RdNVWwwDs@Ke+9u40E)r(t%ZIBw0(;!ulYM`4?VUS+M!ed zSgLpYyS){D4X_ggAObMLA`7sI2M{?293^M!Z(9WlSZm(dh#G-61-t>yg8?vX5C5-} z^WUSS69QH$b^keQ%`{$#*Ak9osHRvBv`PQ~ z^+ys90M$hb0T>Hu2kiJ4zOjY=Ht4p0n?tfTpf++(fGDK>e*^%o0W3KtpNcSMwsU7SJX}2Ea7m z{@;06K);+Hp#49{uZ0>2SOf<+16I1(Oukc_Su0?+XX~ixqh@4<36Vch(&*OikpOsb z!T?)tUlycIb}k-O0TehbUQt~j%=?{*?Erb-$4Ef>p<+69DgYz}6$WIKjPU1tf}GzF zWawo2trCnGqOT=!X@X3Y(mLQLmjQtPeBeMs%`lID;otSY!M`-q{{sKvsQ_N=zrp{( zTyye|1Z>?!a1oR|wgHrZkw1P|TH&rOLvpT&Mv=q&H@#a~pPcwHMpU$y`Tf$7& zWh>u)%H{UUXw?)UX1YT_iX7$dacCUlO6H9{TXS(ZA4CV4HPsTrZ!U_llt&2E$OC4V zx8;^^x}%kAb#d#e!l!s}4{p#l*Kh)Il=(+I_mqQ%n%GxTQ7^<9t1>LVdH+LVw@r@I zS4M~0QA^_g1O6N49*%5Y+{cd;5+Bu@qc8P&Gki)LX^L2hItCPa4y4IKga{0fzzdFp zY2|(Yfd2zl9#f~p_ry?gy`0xGm=+;i&!(IMUUq9g()l2BLAfW&#%np;Jahz9*I;^h z*}&z{04i{@hCrEsP@;d?YfJy%@`9R7@(O_z> zDQ~~>AatQakfXzj#f#OS;PQ9uE~!3Rd%vyQ&pU2knF24qDb?@)4+{JL3;ib}joU*; zey{vRf90XS=+FAUpnnsI)6Rt-f7zDCTKSURKj_c>9Vj>WJN&+%Mih7?%mzLzb9VV| zZa=-Diqus?j^5F{ATP7E_a#=`F542$F-AXXpeOD=HnjMi9o?pAZ-X6>Q`V2UA?Sr( z_=R5NU*K}i?^6K!de#fKcYY8l!7`-E@xL+G?vtkn@w1F}`to)k9opDiU@P4-9b?ZQjhg{zu6FgR?gC z_%F^ndzM|z^1kks9E?UcK&d~~?B<^RAy%pLPuZ4Ss>f-_k2kaB6OqofTj~t>2f``) zwqe0!4iiEfe&r`iL-pTA(u_f;S*bMh3p~830*zDhX$yjkmsUkBZm%_B0PeYU^yu^{ zgk_cMyB;WNH(B;xiY+(3(+}b5OB;5&8cVpY_4hl1{9T<-2K%P!w9k}ajj^}Bh5d$M?|-Rf8(!)oo@m|7{|B+GLI#|z(oF?yPt_zEz$5vQ^VWTKyRDq8 z5_MW6QMOI6q$o~JzzI`8SdG>F-ejU$lp%gpKkaPM$7&>>vHYpq@yM36?rmW*5VJRV zmft)db-zFPGV7QCc5{@xe-gZ3K6$dcec1(eKy$K5YqnN2mG}?hE2N1KdaWDJ(sCJ& z(sBWiy~0kgZ8-?CS@YUfvQFcNE7B`^Rqyh*N)Jl4O54xjlVx-JSEb_WI+0!G8_brk zIa-9{`|U2ao&RE%NBmc-7ee~B>@<6hPDf@Z4zHt$NdcbD{}%e^>;Y+%duIEb=RR;><{1H zoeh5lt$Giv<9_r4bdKj-Vw_M_{GHYEw{I4+K|iyOyQJCtyWKj#xmm2(_g|av3!B7R zApntfje>6_0F{9D46t@W%LX_CD2_`6KzSQDz_3=pzfzn39QTAA3b0I_0$2mY#38xa zjS#5Bm?)+a&P0A*0w92Rn>rLW=PVcyI8Oq?^M3s z3K0jJ18Bej_zP&t}#c(ooewpSNFA-ahp&wk>MM@PoDmT|kXwbpip_01kbJWE~ zQkT+piW}nwM$b)*%armH*g$~m4Lt?z;6*cz{1OO&UR#~z-J{=Slk|CwOiO16JU?F7 zd(hx|A$N#th`Q2L?zH!by}!xFxq8+^0a~NP;Xw_?V-{j% z)kzmi=Fu=e|3V6}!~^d94nDK_CB z5FDlcn1!DWIyBId8Dq)%u4&F!R+%%&^KWW@be~{KGWW>kkzx%Xo2}IM*P{z=P^Q{X zF?*C;_`E;}J~HU*eYs;G?pJw~KLiP%Rnyt?!>Q z`o&QqL8V~k{X?taU_Ed8lD)rF#S1b=VhCWzQ~wa0#^^(GLx{d+VSUT}|5Ox;%2W}`G9BVAK+q6N)J`e;obaJ!j<`A^1yr2<;v zl$yd)~4T-MXT912&h&75aE{~KjxNOn%i4rep z7%a{-RCKmQ7N*D+C&Lg!x~g%$v?Bbjs3SyBY=+yzq10ECQFPqzxooagT}Y<-kl3hj z4d5R)Q6l=;mW1<0pN_??5hMttk2CBDo)O$pP>3A#laRuSW#&;vaeJ?n0y*Qq*EmdP zsVL0jAEM*Vb%>jllLAu6w`A&brh%l8o1Ko`=RcvnwX4)a*sQAbn(RE-K*K_mjB>o) zJcGUHj?Ue=`Jo@MGf`oBi}NDs2Vr-jO3(`E`qiU>?#FzS0Yw&+@o)Az9uDta9cw7J z8m&zap3RRo+y`#IdU7?(Ff#pENtmzaCJVP^w4-z`lyymBGoJHcn%>?IZMkp}UC`fK zKnOq(d_5K&!T@;$DG)}eyk*ThUM)prm!9Nb4cY?532or-&{^hqqV?@K@#wNh`ekVi z=a)2vkv<@5nK?@#`?+z*0bh!|W+COo;9`)QNVxda>y8jS`F=R1m&t_sJAvRY&42dO zNVIG$(}$mY9v{cniQwX?Q)sc6< zE6qIa08?MwqMOFZFuVFaOnryE*do-nxsy; z$R$G^5=wFsBuFrNgv3Ry3W+;QyBw2Jn`P7SusZrxQ1sBPulikZH}weBMHQx@;;Y;B z^WDwqkZ|^&J5{lzo9y9m6jlX^vM+X{dr#I4&e(o& zeP*hdg_uNm^nE>9h^OLrW1}2Ewp9bBJnG<{uD@1bg+X8`6<~?VlJWFs+^#A~alUE# zvy;^Xgg7|X?G&6#KrR465Iixg_v=wotP8fJXvJhq_SN9A0#ZqtE|TkF$?;A;~jS?=fZ+K9K9?-F)F#+1%F@uy26 z`PbDYz7C7pd-or@r?WTSCq!qL%&#Z1_{q{|1*f98XZi-IlQaH|!E{rh^jD(nz&83@ zvg*a~veU7q6a;DvBVibP<@3=$^_ZQalTVE}?>*;1w-8j+`}{(I?gur50%_QByNA@1 zOBoL~s9|Ke5#89zcnko-ZUD%KV?Q6wVhh9@+=k$@kbTf_2VIFh2;Hxo%ThNdpuh#) zA<}5MFy;5d4I(tWfT^)+)2Vrz`cH@3(LSXC({*a))STH!5ISQ&EJEgCQc1RZ%@!s} zV@K6d<*iCtn#E*XBAt+j)RNfx3tF)6%e6SX!W6BSGb7~CfCl(O~z9tuIrOY>1nO`;EIeBV93Ke&D;{kR#wXM2-NKYNrN6AcWU zPW$;vA5}H0{LOiyLpW^>jH07C8@*Fu61R%rBj)dLC3e^GO*&3qApQ=9djui zPsg1}xof#VcES0RwWgs93R6Ypw2eK(=D3==d$?A z<=Dq^Y3ue^u>=XhKQ96MOOKICIWGj3IC)eu>d@&WFOek-lqR2Yqz#|R`=k??o6tA z`&n3wI)G|NoV=qc=G``<=}{!BT)}_zu$* z4b30MEclm~h{KgFV;d#8r@c|Mo>sRrXsJ#7LXb_D%BmVL*ffM1vYX015-l3xmZ(id zd^o?F*ZbPYTpyud<)HzEYj&p8M3cdL)?3@sV`nTS%vHBZWyaF&vfD&)U~ur`Tf6qx z5wdW)ceftgz=480x1OU(G4ebm5@(viDG1P_=ukEo(>`blG|3P9mG|unieK~}a^ECt zF;Ivfej*RGL5(_QlHkJLld@=;ieC9Xot7TnMP0+wCu>4zu#M2XsnJWluS^?# zUL?2#IhElcp8MB}t=c|rm5|kh0|m;5PQRLSsVQq&aIF{>-DSh%fSHA^%vzRq6#@l) zM{sL}+%2=z@^S@m>Vy+cU{{Ip2=rS$gL%q$zvWJItWw}_EV$)S!U;D7i3w30(L*9E zKn}P9aUFg!1*)V3uC*cvlg?DvyMDqMF+5Gj0(n`ArhdT?LyC2$*O7QuM!o%0d^mo#Hw*elQyhdh&UDcnR`}iXkj-zkSNU$fj5GPPX}B_b&g5uv^=0>@)t%@4#1N@I zXZGevd+Jg9 z+x*>k6B)U&X-BR4)Z#`XhoE&+nkX|Dt_=?cPabcU4X?tLk1vYUHy}tV{wa z55?o>gY$=z(OQA8@spF$_Pcn(cgBaQZI9uQKU80;JkfXxe4 zk(Z*!C+-bbUw7In`P9>tlvvUsR?G{JtgXyAg$+4}+_$ZV6$Vo%M-{ws4b9k(G26Hu xY?ioxBZ&+ONDDM$(vF?V3wmFG(4G zX}{mS^Ubxn^Uv&T-raL{&pVkU&vTyl?1MxCYK*_Hdp-<)J1|uE30O~3H%LapUd&k7 z!BE1*+)zgHv9YnFo{77wou@+(%)m z0m&GmK4z1Byo{d0x63!c&Esn7Tx);_UQrZF7C}!yIIKj#1%y2k&)?pCELJ!d;&t~@ ztSg``pe>}U@c{7j=*IoxqBrR3a613zcBaasY29$PZ)67PZ{2YpRb)^9KsSb>;~ z-jCQfEWB&z%v(!4?Tr2Xdm}GzW22M3;dJ9Pc7vTwaxGe#D+&@HH)Pydy)g0T6|h{V ziGmwZCK;)#M{pXv`_vyL1Rzd`Coo;$d%23k&1r^-l|hrXB%FiDcz~?9#W$u@2WGBN zFA*$co}xq;^|Zu2fEsHCHiF=8`jzYd*TnUz43Z9#LLh z+8ke7_G7UADb_F^QAL_T`Y50{Ox6_#vg)W6Uae82tL3rk7gBu*+j)jJfyYs$f(g64 zU;ZvZDpC69U9IHteH9lez926lX)adNpP;uh#OlDIUSiQ90tdEiTNMo)2q}NFtEEs#Vr^A?1u@WF>j}7IFDmH-{GV_BEUG z9CZ&Rtis$#UDTI;!g(1+#6@E_pRjYQxmi*em;q^WZ<`2QoUw_G#ZH0(irUG6jyW7f znblm#Ezh3jvv<2n+E|giZYpJLqgaAb!r5vLgGF{qivZdPGLZ{@7&VwkmmR=J21~}m ztrU(?OFPCEPj=_PMiIb2e~`w+WpV2XtF|Nx7FVUs-KWRlB4q%BDA<&7zM&{JFeXGt zVdkuCF8oiNr6)m=z!ho?nIMGi7zG_wYH(5UWIO{9ch6JJpMfYonk15&#`_S1bXKLZ zd{@#M!UtU)8p82~{{58IM3r1dHIxBLuEq zBpU$ilGKEl`l!p~;)09|=xQoK#3tUQQ$83PolcH(5*!9KU`9QTL7ZKZfvh=5&fXh7 zT?wpOJLfS{Y0ohq%M7lfhbEf?`5JS;pM44gVn^@%*)Tb^bzfsq;FT>Z{W?2=C_h(| zu@%0Fr#Ne=*!uXn`(~jqAd&+?OCu4XhO0-DrmvMr-~wc9M3oKjauQBqCy3g;wJV3) zRgM$*wgD$ZVwI)rL48WGph$q{i6z#%(YZPeE1I>0}9{O;E2Cqz7d< zMY}LB_;JQNv87Bv2M%|jxzzo3f}9Cc7)93bdLqX=Bc+_@`&^4PVlfQ#<4+g`b)dX+Dq)0h0kZd1oL8z1@`!uL}8B6lGc5eAATD*PMGWbWKDw z9rL)0H7Kg8swQ8u=S9R6=u7H|HqdOho0KIvb^r}fY4#+>sVLC|f*jf~ETyA!@%gN< z)`N46uq>bK7p*=-b1h?t$9JHIV*uz0(r8nyjbpjh=Xr?&hKi)lXtHCxM3<0TnA=<2 zCuzNcbVa(W)zt?Ro6H$T7lgb+xv9&hBl%dWU-e&SHY)_*s9alH+8Sy1=^i!NQ^f)k z)r}ubb@vDd{Ok^Vid_?rj1S2*MRh6wh&v+5b6#F+IIqCq5@s4XUuvsM_TOcTTkT?3 z6$ucg?assEe#Ooz}OqQGDTGkn7VB*d(1?(+lbLTc?3avafSP{i?>X{P647UMQ}6Y zv$@e+vUo#0-!&~9KQ^2cP+#<*3-C;nrqfhFFDr@WZE<$`V~y~HCPt_C!5{`*=?VZz zv6!GTVO843=@&l7TXGJyx;&t-erzB$Uj~liix5HXR-TAdfG4Qtw!2;I zMVWtnkp}Uz`Gtyad!ocPgNLxtyRIkzfFW9E+J`G&SYJKYCX{-RPF(IZj!V$obd$G& zYVwm=%9Ee$iL4*JOYO}2?ag)ej?~}3!S+vpKk(*`ydYc!hf%!7?!@_0MzeF& zmt4k>*RG0x=~Bu@>bI)@!8H;;>wCt_~x>j}VkVUQzj&XnHGO5{Y?(pgfIA}^P$xZgqE1h7{K;lGltr5IZvBEhz=c0k zY5?BSj}*2!^i-!Gk54Th{9*iA^(Rs55?nl;s-mj1W~G;P@q?FsZQQEmOFj-eh=uL4 ze|A62l&IJg0H)8!>d;^sh{%?h=WyGwGCx98-Ori_rag}e{&oMo<$LLk;@POg67Jpo zDVV=@`&Raj-Tm_)pWW`VJwp>aUs7DoO#u)3<2>*$><>ze6MBSKmtJ?`KV3kOr;1_( zJk;D{9?#29CYs88RH*mff`7x5N+FSb&oAs_ z)^SSEq4h14zqWZumZrdv{dF-ehUw;SB}dwW@zuiM*zubFDo7@uWQk7?v)%bJKL!j2 z?f5|&r}~4&X|tAshCLl4FMFy7d1y7vp3M1irG$k7A;bEgh zK2b~4R!&u0ycWd7K-@Y-%ykFZxhb-gYpX6e^f#M-s8VWw_Xaz8hn2y(00U^G*29Kn zALFGp4N?D*?1eG)ZWN+dWH}@JhReRL6sY8@JR}~I&di4dY1(Gtx~W)<@qGUNgozdf zzm7bgr42oK3vrePv(wm(2ld#-zoDEW>N*Wp{`z4?-@}L zpHwd71(ftQ*y4~M+bL1nhGip^BosI2zx|~9AusAL=k=O!;lr$dZ43|bAtR%DpRwZV zD5N2J|IF(WDgdW#!8fK88`PlsU~OH_MaO^T5g~Z}tapUaHZxWkcyF&Z<4Qd$ozi+V zebKsq-uP!K3X(JN#A%k3<8U2c?|SDamV)6N5w#Hwc(nnw04!(JV$?){n34+dtWB-c z&Jk8)tSlIKbP3am&facjw-1R@r#^e!U3z5kMPu%-S!`Givxt1)wpPX+4qNEpy66!b zt+AwCv9^TD9rSBH2-wYu3VkFz#W&JY5a&2x4O~Nj#$u00KF3$79Z5sXYW2$fl{(*V zysbZx#v}wpl;v?xiWA0mT(y-Oe3jvliFTaG-Yi9bGziMnM-I2GI8)6^xV;B<%qt1V z+Kfn^t%1o4rRFhmNj(iMdT;vE;Oh~bo27;BppHnLWSf`o1~uI#S?+0_4j_g8b+@(7sZPFsQE!HnOmd1QcDoPF&knIFQPV;q;rD(5gU!K4hc{R_<$IDS z&{JKFsJj>9_n)#Ka#`6e?>z;I>OJb19NC?bm8KM3Te&RR zaEy{1IwMytJ^HK6?D^+GQxA3lQsh*8PVEfj!V&>PO7m^E{n#A^>V@o@Mwdwll~24v z@0Izm*w$2T88I=`4^#~NYzdiOc1m+1K}9@Oa3Wiex%my5rkc{*1K`_NUk=Lx$2VQ{ zrmge@7dOg6mSan#n@dQfe=2ORTW|gJd9Y#e$Z5*`;ms1Q*JYk;Ns#vV8G4C{j-l^r zl3C5gg@<5ihtHc$i+uA=S@Zmjd>%UGc+*9l5R1j7isv1pPz{8^#0#9{T;2h=gqR{J z~RF3hPjBNeva+#yoCmf@YM?8mVXhs8vOPK0L^H3Sr``|}0_>fo^~ zq$hMEJ7g-2D;L5Dh&j0j;+X?+)wA}4D_iP)!lMc0O^Z*)8H*OLc9mVO zOwjDr!%ph(CeT7>zDxNKtIE15>Zc;_YreNnF}6=I-j8AhKc!nZB8V+vSmP~AbL`_} zSo}WzMi~oqEpiq~H)wj$j{qo^A*h-vZ`1uhe1GyK z&XL}x(9Vy@*~9nx0}!Pzd&*BdrkV~W$b9Q13I~CwzOo|Vvm1b z0XJhEF&3Zxu*`CQ%rM`&NT_sOj*LWEFj&Q5;u`QWVNze&X35@V@&4TXlp65VvLfFr zzwntXls&*f$?mzJETThu#`g!?q!h0zW<+Hz2tp&sG@T>aQ6in!UC%ihc7f!@c(0)L zEM2!Py`LzB2#>pPQ19)Bguec(pZN1@*Nwi`wa8Q~X2Ak%&O!CF`$MU=F|*skRd_dNV@^$B0T z#8u2X``agkrAKquD%J%R^mTtQx+cbm(uV0L$U3T$%5b{rO-?!jvkYidUsXTfBwwsb z8o_fNwY&H>9YGrSQdPRnrC|2GuC`)9yDe`Q)pP{de9$kr=$9}>yyuJbrA&6!^T=>Y zRh(qf^Xk3nF?__w7xYR7`yMz4(o7m0TT`*PuDvLF%$KCBWx4ue4kYqg7%GUEHf)6e$8&yx#0+SPoCiIj^ zk-TD0$~GK&(loSR+`KB|Y~kCMtZFSembiN4PUj#)jGadCZgXhL)v6&9lo*|xx94$f zBfH`kt;5smQP>t3yQ;s!n&d+@u|e(vaL^(G)J$Lrx{R#YIn?ASTRb^HWaB_^8Od4U zpH&}F%zRknaCXJBBN7HQXM$J?N2ec>*~c7`BU*WcazUBXR>DuNsZ+6TFf^*EZObJ? zSB#8o^I|E}mQcoiL8kgHgn7mEm1;M?`XfxW>0yIFP%#OjL`^$}opu4Bj^%q@40$zB z;FrZ;8_z*DtEqFbE1Yak#VF>TY*2)o(`f61QB&lGC(<$NVhZAjK&`9qYD5q_H+_G#a>%0E8qf$9VBxYnEpS!hgU#2}ZuG-$n zi@!U=D;88gsT(wYT%}e|#@B?KY@3<361-GR5L3HFLwk#_0XgT0uSj)=o*7Wia1$0I zaxStRWOOL>v^Z{_b*U*_V2_mdmWR>nW)0%o!A>F691S1TKYM}M_}z<^nb zc54|~enp8Q5sEpb2!#bl*3gLuBIoJicR*A_nZaGTAqnnP7a4AUsEfVR;{@gckQqeg z{p?GKRs*ZE%_|w;4Cs9&x6?JR^yK69PpAEWX?cqo$*KUvvPFY$>Yp9QRMv(@kMSfO ze4b{gg>mM~s*bR4k=?ea9$WW4-~HWrk#zZ|4}t=}#cQ`nWYo!G2l(!h;EBYRYKGAv z>@WMPU|cp1l$pwFC5C+UCQy=6=TFtxnJ9C}YjKe{!I*k}=9mgN>8Yw{XlsI0Rj$e4 zRI`P*UA~hK<`?%L6EK*&Yih8ur*&QIcV}qbh@aO8ob-6zFKf*xV)fura-Zy>;l6$( zxh0X!dz(z=f<=`^rYOpFPV!WZA98YxYrT8lKDghsbB;WY`#F?3C(h8nFrK6`@kUIM zAO{DVitl4duyr}sX756)Rpyp!W1~jl$(c0jM9C0edlCDYl~JCx04uL=*t}w3o-Cw} zzsA}_sztiQ#^uih4lkrZfzj_`iM;zB-|EHt)34PAQ5A^2Pj0KQ1pWv7)Xr8@ou0Gx zLk$`d${E-hfWQmZaJQ`0S__{uuM1rOwfyFaoZ#!y$k!L{DNjiaW@p?Jo{F50w@R^e zf7MZn;IazRacyz2)lPg@XH~Y;*%taR^RS1`ue3*u?xh|@cN^_&{sNJR7lQf`FAiLis||4S)>L7U!x7AC_0shSAa0mo&ceM-P8^%# z=%WLuqlYmgcN=`kQL1tcyT{-0`pfXa_?wgomZD}T8uQ(Regt)D@T>ePUP^Mbu=qBl z{rw6adA5?k@4rJ-*ajWt3R4SjT>P4nYTXDLed=cGw=1IK$o*k3y2YV+&v#@fWqFbc zGwKn+SNT19$D_I9^YY^LfqDKaOFUou@pBkIU%Ry|-DkJ#qGQZ~kA-r!;w(m@e)W!fjJj6Fl&YSRgiFFT_@^HK&ZEQ@ulANOo7|wiy2EUFBz8K8QlJH!eqRdK7 zo2C#4!T=l1Ln`f&Kh#)y_T9o4iQtAj+&i^GXF)jDXsKT?dpI?1v34Z+ErXD|M^~RMJ4)7jz`; z;aRVBPjJwD_Ed1JdiD5qO%g2K^)-vxnDD!4e4!ZFa|>OEZ3xf7&|)Dq%!@u%#%xjSn`F2aCG;3O#bz5{{{1%UaXWP}2dKAq7+3fBi+y+6a~rYg z#RGf-&IcUTem6>}z`@UAwQ@A&r^_R;r`Yk|_!N*ii^tfyVE#Ol4B#J(FCQhkDTA=b zUxbr95DFtQIP`bcY8cp&C5Jm|eSy`I%&-X`R50AcqquvvFf|I_O3ggJ{mec2`FX+b z_&>k7O?3Gl2<5!lyS3G3hj$x@@Y=vmdbO8&3U%?a2DY6N0g4WG5B&FSd&iFO$%7L} zzmUgKep$xp-O&y0J>8|7(JTR|W!%N<{N`WmGQ%wo31P%qO5jP8(2Ic0yH$$fPkxIX zyOpz<^Cfj)d$2JU&5dV=3iO6*E9U};D?jUHdwQvh`cA37!o&%;c2_p`8M zKkA+O9$n5BB%9PT>RI4w$4g9gE`0#$ES|B zzV%hE5V8tCzLI&NY8UHpD^%*QT>9^^5vJgPYb@#`;qQBV)CxV1u8Lt>RaMtj=P;(Ebc#8_9$nD{VMl+q}DxhX;iI({9e)p;>DD8_0|^gChF5{lg@RV zW^-cMwcT3^&f^Lt2ENz&(J23fct~|nmXJ#lEc1(q))@ToNHb)R5JHni{$3&+KAE@T zacotLba{_Ba__Dk_j%=_c^d)k(7CcCldxO=HG?l~BYUB(Eqc0OhyIlLqzunG4yO*( z0bNL5`%e;2&RW&qzzf-8$nE4;aS?~wH9QTW-t#u9Imqmr17b-DVbd3KwYvw7xjSV| zI|pxt+dl9Nb5|?EujD4{zWN*gR}ti6o=Zo96^ODYi(|jBzrA+L z)RhdNvD&p_$XxEmhxT6#)j$KQe_@%RsGT_Z6@SDh)E}ua+n}y6OI?e9-pTfM?vpyX z59JB1U2tS>Vs>vfpy%k}w7<#&$2|U+7lCho*)?=bPlY5FcO+N$6HkpA zYp8O$9Cv(4tgx@wpLWJTYRda)WuyuRu8^PSl6Js&(*r(5n^fY3ND9jphKO?LspdUy3c ze8_Y8S=7_LI*-L*5GHYAC$8zgv5o~!(A`!!3A$5`#OP!T7a~B4QR4n{!9-u9tzWtDF#Ys@p{;Td3MD$6 zxqsF|{4(^mcvLuZ>&j6Wo%U=0mNqG)jgG_U1vEP3SjUkVvQo!rH!Sr2==Fd(w(weN z(7#=o%h6k-=b-4jt0h54@>N3bgXogrADE2L_~`-*AY=Ofzi3M@t7wZ z^TX?7-4uR4n(=3x{iT82T^d?^92{8LelH|MbL@c-Dr5020j6jU=A$cV7C9yg11OXd zQ#?65duLIHLo*@V7|qY)%Qh%zFgr%2Wz)^lX;PL2LtLO+1iX?{`ugRuxoVr+^n^(S zsXJ4zybQ1pzsC_p=e`gDyjA7GUl**f=Pa+>Q}kQ!gS5UN$^&U<+AI?}J)jgN*4Pt> z*19`L>j%Hrz)~Lh&Z`a=QiX$IeH;m839Khka5)0UA^QeXRV$Wzro>_Rz42;N;_@n4 zMXg(TU0qE@MNJJ8psLo(xttZtJ_^$MRFohl5bRz$398w8sYMhsxJ$9brPIiWxx}@k zlRj}Eups|h4JepbL6+ON;Z9M>cah!K#&&t2mB$FBh~Yq`>2y}QQZEds4@QmIzMx#RLo~a5D zVL_d`uc(QmM@Y#+m_(u=^MSw;sk@~9N3<@D+bw#dIbDEKc9_)O)pG^7TFBxeA)#qL zxKu_uz^13mlL>a6NMnCKG40G2IYOOP>aB|5;1kU5pm+IIBf^LIs?cgW&z;w`HwT?Q ze@rW5QUhR4p3Td zjHjIIUyUQkuvDcrYnx%y#ngz*hL)CGwG$#4A7*Z5K)qrUQACbcr)Lcql^hV;2YvBb zSR~7_v)wF@u*zKMF}3tuliBnt^chR$Gu3=gwdSaYAzT}D2YDL*x6Il14{6f>WX@IP ze=}!`&+^O#(W0Lss^W+Q`!cbqu$&zw+zf2RLx$TIw>Rbqeblc;cn=hgLfAR^#4(@b zptva|nM4vKVm_)>mb)ReugR6OA?uQ|z9pFBf|vEJ@NlQvCS@#4)u)9PN#T+-;;Ojg z(`iVf?f)}rK0hp@Zr_S)5eU}_k@4FlVT`EWMBDs&WO5`IszUJH!b) zBOGf+PkPv8r+Q-g)kZJcXhzT#IUUxF;Xg^jG5mAV9LBHv(kJ55+r2ShavuhgsgPJw zO1LS3Fp7P$aF<$BLt*;3J{US-?oRnrK2#tV&7bH)ahW8VQ5O``?a)s0ej3(}QCO$v zq|WR2#R`as|3%&#l)zRd-KbTgsVtT8{D0Gyv6frcuQhga_}C+&wyLk8IY!x|)j7CE zL7r3k88;-kxCgS2owy$$M4WxIrry{|Zq&5b>xp$lQsXG(Pzv7lKA(=~=30+PI74jC zbJ!{5kam;VFb;f#JnHJ9PnZAt+1X)sup}Z#K>vRFF#X0=4AxN`_ATJ@!Id07aYia9 z;h!R+seA4Gmp`%f@IDsI{ePykxj5D4|3C8Ca*mCX-An(FSgsU_O2Q4$qm7q^qI?mn zy(@tiom_2q*{eY1`6iF)#XU37@%qeR;0nd}^Qr7W+QHZEA&dR|@3g5+7qVJWug}PK zL!0ndT7TVaIC@+#E#tW=c-(9hjJJB7Uo8|X@E>ys(`)$%X2>YW;mk4=^mae9s3zd{@kJ=I0pBpM=Zg3LLIB_g=3Nu`YN_gv*P!URoMf7#@?cps^ADZqA=OMg?XT7-w`o>Xf~Nwq5m){mKPej@*I(VpDs>+JU& zHjkP-&XRZ-C8I#@srDS3&{M6JgmNqXoP=sCp7~#M$0qhvYehY5r(92-*wJtZNZZla z|JNL-44!fNpc|%8JEaV|+1NkhY^3T%8|5JXvHa^B@ypQbm~_!b7V&n<4tmLd?(29o zTk)30?r5Lkg(#+UbbF6PcY=NY2>_TwzeCIa6AJ${@}GweCfZ|i2R&e!!;#{^m*VK^ z!^P|IvWSSM+G6vHO=iDE;Fa|6vWR zIcP$_q>H8=_@r3Ja62?__{$+^aOSdTm~iHd1myowgDoUFINYgX7W9hN>(a8 z)D_(y(6t{K@hEk%Wp={=ai(Zj?XJ>rbBcg*E+dfS1~FZ@~t>9 z?4tE{N^W05RfKx9%vZ~KboGAi@;E)B-6Nb{1QnoAQIw$%$Y>Tc{NB$)aCud7r&Bpqr+4E0bFPmd4^qAt5 zr9?Cd)S!m3B;GFi#zK_hPQX9~7NYp;)!YJeGBc`A-K0q7(a=?^CT=Ep-a|*S`6cv! zng+#q3lxYnFUqEp8Bh!f+SASLMF?NhVO zsIowd@O&m-Fyp5WH;gtu$YD)MvrJTBIq-G9( zB%*|I=?TrXvr=Y0a)-NiLp*u4!?cA$L7B?vf>lOhBnS)l2WFBfUmwKdmoz~_xC^6( z5;Vh{6Kq(SG2$%FHD9nzDXuO8OZcJQL6i=_TNX}$^G5CSrbF%GW15HXZ1FS<%607Y zJ16`ft5L=sS(VB&cQ=SiCI9?`W)8uMZqNU>n1hpsZx{Z!U_-+{=8*J{IlMRhe_;;K zQPl0Bwzd@kuYQ0|>RDs~@Zgkq0;bo}N%(l;w8BQV*QR~fmdXFc8$x5zykUBlM#BNk z8}JzWKI33u{w-@mTzNmtN{#gXh*2Kc8PCL{gzFhj#Qde4ZH(pJB3f;?6;9cy7@`mh zV(Ek?$OI9X&>paDF*tJDG|2{yKg*RCG2Hzf)GJy*Q#3dH^D~%ZPx04^NMz2y7R2RA8}^lo%kP>eSkr$-rANFjs?uTk1Xb> zxFsBXU5z5PN+P`N7s&cX=?2JEv|r9g_r z9*MA*pX(J;Hq3y6CSNT#iALf$vb#z9nr{WS$~hQ+0#>!zAF2Fb=7{0?jCqg;!5Br5l^E`XXpy2f130^e(S5Xfw|QN^?WOBgkp$M~@%SLf6W2 zBgYT_s?H9+Py|a(yU;bYAmH%hd|&D3#LfSYdbp%&7C)onOHGhyn@_#)we-dO zgUY_vx@M06MSdsY6x(FgJTh^Aq_{lBs!{35@Lq)ID&3!`w-wmmI~Pu~wE8NS>vY4h zXwFKMSM~q&-MpMTSgjG7Wt7MP@uA6!URL|p29*dYyrXjjM^_KPjLki|M{x77!jruPs z_-TWeh>a!%56RG^;6Ebx7;Y1(AIAXg&7p3i{O4I6!Qa&diS@ARLJJ)e*8?I!%L@O5 zv*~dK(+*JKubr8LevT&|?|j$WEMzBUissi1)D5*uOjZKP4$oDeB{nmGpC$S^#_!O& zJk8mmJ^9yMm`u?YuCRW=1y2}W8@MY9rwxq%ujR)_TA-pVP{hyBMs&Ldpa+GYaofO0 z5&yBE$LJ<6jGo%GMNeHI(Qd=_|8bWrM+a!MM?3Imvu<&)Y;j!Rp*s&ubQE-eSK;XQ zS1RbG=)ofh-9Ha2BKj>3D?IezBAmNjUAA3)16QbBy%PuYZ-5^Eog(BwcQgX%j?~>K zt|*`#k1CQ4I42-OK=_RcfCl@HNVKew#g4}Jr#b(?8jbz#wrCLM3PX2HS?KN&`2Wc1 zxr_g~@c)HvG-&q@p`o16hC=BTKGFa12{h1O^`R-nx-ELgN6r*VCM0NrfOeNeQ-RuQ zwAfHkyc1 z`-76b$rd=HlCy6^X7&i$madd0VVcRI{)$~42vR{ggOtS=@M(e$CgX?g8)7?U@1$rG zv+k0IPfz1us}f7At1C-OD=VZ4MpCd**VyniTi6^wL$rz%Qvj)b&jJ=B0=K+`Wm;-XBFm zjwYl#8(=(9^%26(2B$)pos$w><%#APKdR6igJ)jXf2=uNFvy$mKWu^o<=)jHn<`1- z-!uP%s>xm@oc!kfHWdp|IptJ7KF0-EBMmwBZOcuAVLrVN-Vc7og$Y=c5a{*a+!gY8 zoae(bFkoB7r~@&QAkyP}6QE24o>H&Vz#ug!=9Oa1(DA(bfx-;8yf6ibXQ^nZOQ&*> zu(gJyW#wn|M?QP`l2Uq^ECy~VqC*Q2;A10(Y0;!>_Xk2EaVqS;@U!TE^dc*T2@G?a z^L)hZfHf0zYL1AEIwF~T$}(^8B9#ULB*n9R|Ygd22I|z3& zclN>V11%bQE^RDaquaM`GPnHYqKbz_N=Ckn_9LLX0P*8b_}2q*n;;2h=03-AY(;t9KpR zNK=#BX_6L;&kLs968{!RmDez=3eV^ntjU(JJk`h`#noFR$)Y8l?f#CZ%FCwvltwtS zD*ZGkigo;5MfK!Y`_%}Xq;jjeAVZVvj-+NhNOUduT?JZtflm?F`^o%0%){YgkSvac z#?7sBie(3ML30ebByFS7(m+;F7BQ=HHaq*&^Nk#%A2m>$hno8{Tr1ODe@lhkZcl{p zw(A7)5YociGzmza8-YEK)ZJ&&;spVmf7L4F4!v(Zr3*OEuaJ(Aktf_B$k+B}uJZ5E z8%tb`aX?X!eJ(}%d`S)9Z+&JWrLloKvQqg+cR^mOj7@)ho)>i42w>TdfB7~DIg6R6 zPO?;VrFTR0D=280F~Zna-G`}-lTghLWy(-*V~4JaHXSwhvf&hlp)nc(AEHsOP@*ZL zc&;|gh6{SNPeEzJKyXCtibIR&_pu4{4Xy7sXZniS(OPcr%{gVW6g1E$4E`YdtM5VLTm-z)+ zW|GyVkwT;WH`&>cc`ZR~Ys|+j)NxH+ARPu2hss{H*2SfM9yAP4JWRE8`%I2PVtD6x z@A1|y2!YiX$o<*xy;`RS%^LdAL7J^{VTXy?IVRrA4ld zlBnrgB0gHYf>DWgQ2I%ZUVRdYEEcydtG5i}pU5B*Xs98~(%Z~`c-=aJD8*5hGF{m_ zu)^hIymZ4M^evJ%HJjHV~J4<-N$2ra$W1fKF=v3@ILR+H1wK5kxlJb(EGXt|YQaOqJ|A?zCnHY;grQ+JQtBQd&c5{%BI zQ~M2GA~}M~;&9~#YCRxq;{I9Jwn+tv7vns(c=BrBl-+8YKYZXY_i+#|^T$)E73uBm z$Mo$*RB%cdw=jcOl18G0f3vBP8($?Qh$D$7^O+d)jBdOUbeaJL@BQWzfge?uuJf$x zWDiDs-39 zFw2m_dOa7e~RyZ@T-smNx+Yo zz~r&xMYbop2r{_D73vb~CVSE;yZMReQ5kTSS2cWkFC2lt;J`H^=+6I$WPwpcFVjlu zmx$TnT{tb_m7Rl4!sSGMqsqtXla}1&^n#UpqCr_uM*VuI16MYd{K~zXo2x5)_1@LK zg%n-h@8yr$ZB_2ZsOfc`@g$@W*T>*PNlLA2q#I$tMt@WuRW^JbDh%5ODLOjlC8n*@ zCGzl=>%z+#w%#JAD&*JFO$5ranRdEg5oZ@yRDaE_zPp2@C}qE6%2l1A#7fdt4r3z* zkotpZsw=pRv96v8#G_9IQG)Ge9x;=Je9n*}%9N>ymLPrem>Jin*Q&^VYncB{6w?J3 zGdqJ_9|K3EI|cli+6oSDm%}XKIDx?dHE|wD$=qdt_B)is0%mXA2zf8Zt@Sj%Te$f| zuPnoBc48`?Yk>u-t{!SHAR3f9AO2l@ESL+%FGDBgD1hss^nCVTGT6OXE6s_t;^UmlL_WoA0AKm&9N1 zvI=hBW&QjG&xpG>5v%R>yMG#{TCMQ;-dOXi4@iS{R$Lnk9;kP6rCbmvwHv?kRn?fl zzkh7A+xRhTxVAd+(p{fEQyI`M~+!+vv8>&bK6D?GUIh`Kt*Ib}(vTDc4- z;DmK{J@4rs@hBBgMMadJv4oo|RGWeOGhEENq5jZ9iFe>E?xnH*0zDC3(8Ymoh&`YLvZ2Dx(E3mxD%pMW^?T;%37|I@k?u1#@#p+tPH!d5k1t-Nm#xs>gZ{yXj=X)BDRgV zF%Vs4!J~bEi5B(!##uuyDY3%A9IkrY=}Krlqqf31b|dm;gLIkiaA^H5pD{>c{r)u8 zTcY&GyBC)A_aQAPnvHvpCWkUn-qnI2wch3r;m;F~ex&T1WDTtB`Pjuhxi+Vak&bcx zqCd9BqRv{HeNKEeowD4+!2fO)g)Hy6{?xaypf24LSXwI@=erK_S$p~&f9N7h+=YLL zFGK8({)xvpJxMQ#{(T+tzNllR^{Z1K|6N_Lz}-_ze=85dF&457}UcmJYs+1Mx5=qWDyAG4RC#f+`~6(jg06s zC5v!ZF-FA!-lajRi>#u;BpFaAvuNB#ROb2D63IZK0e!*mcSEH{nA*5i(t&Amtc(-UUAww=Z1SJyZ zDv%>y>M!72xFABSyTqGi@aUb4x4>~qdIPd6JLw=ULO7+K2h;8SN5U#{-u18U9~PWA z*R_b;y{1V+%Hn0%ONAXrHF%joGHg4~4z4{c(mYJ__F307CmPm@5}%oca9me=&`v2} zIVi`a;P9=Fc2X-wV@-rwaJymVwSK3vjlI!S!awViC_RMZTG`3Nd;VTN3_+~FKWj~NOeQxI=&9NyiR+Cmsc=R#aEnJ=_uAHRB;vpzO zzNO@-gyIxlRjn#BT4a1~^gP-#tV%EIIDDP00xEKF8^c89t{zxP^{7mgmYU-FPzkdT z8ynYTMo?0YiC_7Z_4Ge@_9`x8aG@5En7lHDUQD@AnUD!KTw-Wgs+E}Zr&GGDVR0_wQn?LK-pB}au#LAX!4>2~+^jv=1 z(KFroJ1=B}2$kFiDcwfPTNAd$u*Akr4SEV5WTdiCO-jqw2*IQgUaoiB*3W3H0DmqT zl!GAVLFDq~$0CCASCK)XPhMo_e{fe>iN1Wn^z_#m=#km;mrotXclGDt0O%fFjewxc zkxSoxj*!N-Vs161xetM*bznh+wn*S%>u>MZjE9%f>7qIn;SMX}*_`MTj6#kqFW|WjbM%BdL-pyxe9P&k(3kMfTkW(}fCKswb0LFm=obgEA#tXRM!l=e< zAJMSJ?8cF}w6f92p!3JspPTd>lkoqP%I#85sPU<)Q6ryZs?k?qVKLHDw*FG2?IX!_ zxU`&9W4C>-@;C*zBj=_eob82sT;V+l2f1yS)TFWPL#a#e=tpUNq5X2Ci&MV3nBuch zyP`2_NU1!z)qXg*+UN-|#m?G%%2Z_K}B4=})?4vn7W2zmu-;Ul;pqUfQeCK5DE4SdiltERqVT-K1?mP~Rnr_*loK+L zvIeIxNeMCNmwz1kf)SqQoSd)(WWk`|&x9FjYNzEgt(`HQGT{^{q%+gK=3JGUn(jBz ztiq4fg~WIhuDS+uFi|Y#w6ikKMoB#`T%TXxVD(JQe`i5{;_mTgTYNc`^3D9VOyv{t z`d=PJEi^b|S@s$^kA!^7 zcwSAD*G3SbG@BYL56dto%*Q({LYi4P7g(OSe0V-;m?ZKRxOp9eXgxsYx?WH9bX=xu zG(t_sM3%m)6L)p)r@009^MlpLUEq9%EEUN~sdG#7QHB}^-#>JkTKS*+_Oeoac6WBF z)m5nA=XO^g`Ylc5nNNsrj$DnM>j&%a2^(f24JFpH)lceT8Je6VbRU_%#x`oGyJGVg zZ~*eFD)he1?-sqwU3>86);r&zVw1^wsaXZuC>GZt9!40o!OqNBMa_sKes>I z4+@*V4N#p)t;7v^dHwpj_UC^AG(gM0esf&UIUDS<_wV=Eq;ureOAol}=`m<9FZfxJ~YRe}fwrY_9LT-F`i% zL{GkH!}W$J;_MGzmO~VdYdhjjt-#g=~%WHpVI^)CLE}OqW^&z(m-90@TjotmK zr{^z4H9P${cE@ejzvha~pMUna??XNNz47!|@z#S*+<2GGwrhD}`@43AzuW(`gO+Y9 zZ~yFr%isO}!+8&HwSD}CYnR@<={t=lZ+zd}owwZW`W-i$^^cd2`Q+R0pSkXh&qJqd zeCm@|4!QHE<)8lg)d~Ok=GR5v-S^G%=()RIC0zXWi1U};w&>I6?uc)?(T8{KmiTS@ zq`m%q>#z;Z-SqJx4=#N1H>buQe(H}ScWyiNtzlD!-T&|7ZW;1``1$sIOH*|EwjUlk z@(S`${~KG?o&KK>_FfQg>zwq>USAyYV|#4*mhZIm-~IVs@W(}09)0QhM|~RIBfZh2 zfB$>g^dHsT|FhL?w{CdOJ&WhwFs5d^=f7J&dwJ^@8+;PK{n@tU$?)`92aMc(>)xkY z^j~lO`jFk14V&|bdi@!H%KU;q-+t~P!+!U}j*mCrJ?wH3I*5bW3zT(6a=8m}N#EnKhbok#+KdoxZH-B^LzlD}dTDG{lcfIxgc;h*T zPizy1?Qmaw`Fph=FS+c9n`YjzMsuSz`9+)xlvFjhWzy7SZhMnJZT5Qny?9&2O18^ufy>Z@X5UUEg}-M_ZnEPu)+Szdrxz zJ)i47P~73%c-8f9{NE0zos2i?ThKA|i^H1snWdx`AF$pQA8H%d9()wq=jENN?r(3t z>%xwPwH_!kq8y|A~s>9G5kHtqCz-NyHi-sJa-o|rTH?n|z?|MSpI zCp~f5v3vjD7%QLZSuu*(!XR_|MnXU zeg8E5fZ-y-pHx66>n(@zd^}q4u*oz*! z{fT!*$IeN8zxcip^Zz;a%4a&4HlOn&{OfOi_wpg99q`#DyPn&G7yod zc1p{{5ev6}X4lcp)nDInLw4e*7e20g|Mq<^!bjeB=a|$l?%lS$ z;>%?Vm8bd-{KvDGUG(<@((zm9%ZL27^VTK5o4w!EO|Ay>W=DQ^!Qbw<{@q8Ev*7a| zZ2D8jyTY{FdplwydcIt`&oAlkPWtl5!~Z_#P4d^TX5M`3i6=HaIA`7?uY7geU8%Q^ z*!Z@snogQ`{TF)AvEz5WZT{ zXK!`ePv|fIXgMHy$&Jq~nZNL*uTIy_tsYa80JyLca*uWy-t{K8}Q zzOQ=0Ie(bE{+~B{Zl*P0+^(5!c-*fu7xymP^1ko8TDSXZ z+iRY^>a(tWj_v#W%bh+}-hK1_J?8zo{zT!X{#QT#>ZkvgePP$<4*KY+qaJ;J%-4(G zeEOHOHqT!6;}@S?HUFXeUfFP{k?l$x@(29QS-*aM`(4YHZ1>QQ&w}US!p_TE4@%CN z@Rtq$bmyTPK7YpWo437c%E)Km9Ch5Gw=7+B>BzH%`~H3Kp4UF3Cc^ui_wciq>~oSF z|Kl&uJ@wK);;iIW+w8Rq_~oDr;r8d>`{Mh(Po6#gsEtpUGv>Ij?-_g7cH-B6prej^ zYV3m44e@@xf9m%e^xu8mb91)6^hjaOw+Ao2v-Wp8ZFIq@lg3V-I81r$`Yn{xHhK85 zDPN(lGZ&sWbl)vs{p|VufB(jUH|~At`c1!I`2Ka9-FMKZw}rpd|Cxzy_tY~_9r5_Z zkN;_>zh3a<>Eqr$_^?yrn?p(}#SxWaFK->E7udjo1DB0^aeiNq3Ch_R({{{T2TBcKF9BJ3N`$?t}N&KXcRT z-nu?>l5&prz*qk`__2F$?5z3lr7vH5|Larkzv}5To;vQS2m8kko&D{xA5VDw*h6P8 zpYZ=)d4+tmsH^IN?~eU^hi^|Af6kPL9zOQA|Lk*j_OBD(dH&Nk&VA~r`DfkNGWm^b z#-6y_8OLo}^@s6`w;cDxpSIVZm^k@e>52t2nyw$c^Ldw#pYqmO=WaAq+2++Fp4fjx z?YmW{J-m3zR}0qb+G4lg_IG`-;FFI(*l7!4x82`=ds5v#Ck^}iac|!Bas8cl?9jVl z-1m2XeBd?rFBYWoPx|4?%$R+KHl2O#J$TI5SN^os><>Hscd-Aneo8PqL)mJZm z*!b+DZ!QXL{N2mzUw+fAuU>QCY5U{1HaUBz<9}Yb+0*+!`eOQ=n?8y3lk1*eesDND zSM<@4sheTcl3klFS9Z#Mm9@7XV(^mWg@pTc88zaRP7d9nVvUAH~ne(H{MmnUyM z|96)?{q>UmZALGiG5(y7CeGfxe_Q3*KOFnQ>35G%uKZcqbA!isyJ+gtXD-_CnO8P$ zICHD{SO2Nz=s%wO&7&V&y7iKwOIo&`an&MuySd}uKIX2uuU_-@@eOCay7z0B$M7Aq zji2Q$Cuk4u_pb*s2amexfLBK>xmx}1;49B*Z*J?kXGi$R^J9iI&OGpi9T$unb<;){ zeXGZh+aKI9BKe=IcR1`yIepU5`gwg195(sXebG@zFB<;Lg8OfI<vFaPZ)V{aZm6;6NV zv%Qzzb;r~Dzy3kfE`Q9PJ#@1-cHHdge|_JO+IX|)#@(}C?ARx(kJ$ghXP>>b<-__* zhJU}yW@pabCHa>t{&dFTKW+WO{?{yB^x{WLMvmS8guAc!l7zaJ*KNPg0h?U0c$Eq-TJ3pFPOjl`=^h4_0@EE!CNm~@%mP~uXn+RFa9|G+5;ya zdF-uIZr(C{*l%z6Tg_E1=Pf(($miNmzo2jS-$!o#pG&i6FNmFW@(-tfR-PIUwCrdybMM5m z-EY5Q{+!EY^1eM*=%yp?4P#2^sLk&`yaP`{qB!meBuKi|9oTJfeVC-fA?zp z?Jq|rG{4?7wDHsU7kh6L6OIqv`)+Krk6Ol`)%xb_-9Exk?mugvZlPuld|=nJ-u~pw zjo-cQuV?Re>->)%`s}@{-xThAclxnko&UpC`@TGB#sgdK_xgUr+D`m%hsTb*^_o{6 zt$w}!Z%au~lkRzU(P8St^43orKmXDC zV>aCLrPt?fefxav5ATeaxKm5*pFcFF?sCanGq1jMpLZUPUv}}ZA3j??qUW@U;;56Q zkF%3rkY_Ld?yyD5R@eUh{KfLc&z!lu|L=djV&oaS-`Dz&W0zh1%8@Ugcii_|e)9h1 zXQJ(||EI8QyJ6``ul(Upk6pY^>$q{FqCd{PuJMvvw5B6&pM7I&%jk#OjG1)Hs4cXI z4?FIH**m|#aOeL!s`JAq7yYc`-XFjH<%0+B`fkY{pZ)gr1?M+h-#zY!Nl*Ow!+V$S zb$o2{MX&vH*`*V1TsS5@`<#=XylvZ~zyJ0f`RHD{-(Qmp=UjaK$2&KS7;^=9;QU*6 zIRBu<#?#WYFAv=s?)aRr%K^0$C)JL<@E_kT=$hB`-unl?^UFs4-;Fp@KXsEczuEei zZx>CD9AEXX-M9SY*XSS5TOLNcpFes2{ld^Me%v&B!2eY@ZS*##>*@E+|M`_q|8@I8 zN6+5tp)(#m@cl`DyZGue9^Lqvb0)Q3J9*))XK#Oje#FMZ+MeI$>ZadiUbrUH$ z#`)XL{O4abeCV=gzPxSh**|O%=^z(RzTnN>cYR}8=7Ig+oqf#b`(JqLGdt8QyruTQ z)0Q0+zNcw))jJnW{CW4GR~~rB_@O%<^5=&x4?i*VQ4u*w{Wv3ray6PU;o{| ze0j~)7d?B`{n96&ymJ3lr{DkfKW}>dr8!p}^z$$BCgbPrH(|dUzrE+<`#*U2rJuT{ z|8w7a7VLV&-F?S?O+NYN={LWA>-*2&f9sc1&U^OR7ngi<_)GtJ_PqPwKK<77?tk{G zMYF*APrP-sws-cctH*wK*$tD2p8n+)b-TB{aZuxn%eOr-{>YQ^!p)DW-?RVgiMPN1 z$oYFdzgycOZ~X0)OT-W6?x?q~cWr&^YlmOdbc*zC_|kj!{@ZQK-p=Cd4sR!y%O4)S z*;h?7c3SWB;TJxm9=26g_er;$i>JPDXZ>j(y*;*J_Zzk6;;)~7)*i`EZ@A>LO{Y8> zdqdj%iAUqK_MV3)EgY{XXIy`D%_r5TPHXu#e$?4dk6m!l57(Uf{E{($>A3innegu8 z?|kw6rB}Z64Wm=T9B{r~K|Q*`BD zlrieM6S_QLgL zUPnmxXIZ9$GiNvZj~PILu#2%EOZ)ei1jnSbqw^VYJB301oXiM<2DVk)3G8$)wJ1ua zho^>W0u`|7F%cl~#z0lVzK5ah@QQ};JARwqaCvH(+Zgn+GZ`ImId&6b>zTMRc=c{scEnOt8Jw>6 zUq+&$rKlnZt--hpg2_L&o!vcS9J05q=}vVR_?vZPpH{B<0@jxEpS;Lq`s>Lrmy4h6 zQ~HD*UW!|vo>z|Ncc00U2%gC>IzMwxlb55>B!R|?O>v*thaM-tXQY?5R;iUCAl%_| zw0a7lVXXFB-*J#0gWJK4cd=pekI2DD9MI*FWqa+lrRI0jf*BN*S3VMh!V>JFDreIu zRW;k%o-0L83SJwy#=nybf2@Pv1sBw3Ii%R*H=$Mf_s2UtS5a?@bcIe}31dlxy2FEs zMP8-iE*B1@Yrw@hY>9Be0PuF~%Yx(n#LUOrP%!udPft8%zLtA5v1(wgJs3fe!kj-{+vajDPUv~Y1Ga6)byObV!@DbYqZ zVXbmOID4lMeSToV1n0}>`ncMyxY2qhD1@&|3j#&Sz5LFiIY+0KqfIWulhHNlJCHH( z=L~JFa8f&ShautKOsv&k`cVWoKuOA&aSZ#Mg2CWtUjh+$R>mZ81{7#olg^bwZN`Q;hM*Eb?6zVh%TFhEq;ve zhU++@S>OPMU?g6`j&**#XJ92M#u^c-^7q3NOt`EGH;=4xCWcVB@1<$G2hm+IE+Q`)7ywnu|UXlb~5{On3 zh*uIw_8TtGI_6f>1En(yRfxHXBGk+zbpri4D@}5wGgc4F z?@>&dX*A!Fs$-+d)r?tur!EwPi0X=aag! zj9LL{t2DCk+s$R{HuPN#PM$NqzGHIHS&Z&w-okVdUylw1EcyNJJ0Z+7r| z{Me8b*vuf3<&;9U^Wo02T7&SkY8d*Qs(!+^z$pK$&go)G90WOa4#a;_(>MwjvF@Y0x;;j?g3UZKb(YmI`@ z%oQutGT{Fse*YycefHBXB?MV}=!Z$EcKSl!K7T@62XKFp27A0!@%mPRXt;aM%p0+;CPO>*lC{y%u^)Q2#vcJ^v4+>0fco-_99tC`zs z#+6d%JyWg(#p(FWWJWb?vS8Y_gcL4Oh7wpqvTUx4HVl-B0Je%;<2!9zZSUP5LT__alUICc9k*N1~DkFqxRa6C8fr?itzs_ou!I^BqE7)^9B!$nm`GxdL~ZuE5Jc%LmShu{@At*JL%=gM6dN5U&6|Dmc&TF zNWjWq!P^efh~P)dcflTiKM-U3v%MwVsS%V{>}rOnRqtYQb`1CWFf#MeW%2$oNSPuE zzH$gXfDv6;e~4?&-yF?o%BKP8I08K9NFWBsG!*vygNnJfA5eo`Q6KLy40RIc`5l-z z>=O$LoW?3w;yf(-4PP5={jl>0@zh4NyM;zs+xa@(iu_02MbHH8Tsg{N78-79K&ap+H|!4SAp99X>ASL(uG8X;Z~#0$#Cn%$#%9y9axHx59r9uu zBQqymqngqEu2FX|b57~&0=$dE4-Ic#Tcg{$Z!Hd();{5mubxWQ2Cs@4eU9bx*wbA< zhwNqdgR;C&8IHX@W1`9<`02F0i*(h6vjgm$COqlW%c9YR(Cvsex)9o1Ag%9S#bR`& zW-hTh7t!;!?oX!uYo^|fbMU>07cs_;AK^#IQy)tv!3yepUFyAHm$vnR<6VvLXzg<$ zf!n*N)^~-jICp*>z(!pq*oan^x_6MjPEq|e&v}kPuAC)h<ab*21)%-3af&Vul0C z<5Y<}3q+TBP>QimJOmXnmmil-7AStC%%G}q!Kr&dO~aXci$iX_}8^(|F4h{<{*rr&_B&f3#j zY|z`Kez3Et-qD=|t65_w+<%IR9qYA4&cip;o8Kz>6>k&&d+*}AL2YVXQ?z$tXG`q4 zQJ4jCZ&2f9S(^U%V&_iOW%gvllIcPs`_{;?L+;h0zZ= z?JUv)(q@W{C3pmOtOKG8I}SNrIC}(kyjlVP1^gvu^qYj7ZUx~99RA0(fqkvoIz+Jq zmw;1{(+7h83BVFG>)8i8mS$%3tNL~dc3f8TwUd;i1G1r3%jj2C5BTb_nxhM%3wQk0 z3}GH}dLdT_BojWzD(BzIJUQ?=YXMH600i@YpD3h6aY!cpx1^WH%H^Mc=(d(-#Y-1XAH_wB~O z&bQ;yyrbRMzUC7q>N3~b>c71>0H3;r;-V}ymPL++)%lsDH5r^--5*;sW9e#Od{2!M zFIHUohbZvj1|~lch8(e`Uu%}e1a)jT&oEnYL=zkA5mPWk`p^^>7JM7mUG2`2cO8#5 zs4|nP_n13OP!fLtO%#ofC=b64b~MOk1UQd21kul|jZSo!9l{?0MGB=KmrHd-RRTGh zQ*}3{L-L*kt2rx9f^u{8J(P2$LTWJ+&w?ZE*GLP!1vnBzkb^K}ZUlLM2TgOH(31>J znaUm_vX+U5VXWN6sd&#$;#sDy1icJt8rH2{&oTPg0R%$5DV}XDuc}G#PDpFBsfuyz za}$Pf_*|cKqGek98|_-28taC(v{74I{UI4DP zD3|iC<+vM{_xsL(=7DqiGo2_1%C9RKes(jRPiriQ1jOQM=#Aj2dD*qU*Vz~oP-R9w z$|#BtOVa~~l8j-3_(q6eB`38U@S}$?bMvH#GpTw+sM3xJ%nBPGkUFG@{MrgP+4#+Z z@h8HKe5IajTI4i{6AMdI$VH&xSGW!eg*m|ASE*~YA;%1RelVH!uv*eM5hLae#H`Bl z{1JIT)K)?ZSrOAPW1UDa4IwU6;~m2brZC5MG(<9dH2DO%#&BHmp1t*e&({Su3BB6c=d;-r7uIZPc+sql>qfVj@Sn^7;h2Z7rksZi?sMB-m*12E0^ zAI5Z5(MFhwTU;@Rq7G9%LJU6U5R>2vxPpOyI!DOiV&ENE_K{Wi&gr~uL-f57gyHYP zbkLO16+Wes|^RDrlqTDRKU86YP!73)wCgYU3t-?)HL(sVJ;DF^Oj2_tUbO} zCjkBuhlFUzOb@N+sn8G?GCHnpA(&WjC; zSgNL#+^~fuP7Mz&sqmwpKbn&ycjO*2EKhV-69y0N#z?$GxL>_rUf(_#oCvdvf5V? zwGheCdxwpODk4g6c?0MNXx%?6SGQ;p`7ShkLy7BNrg$<`)CTXi?!%8KK?yLzOl7pQSsayATQ`u!aQrV?Kx2qE$45%(=vYpu9d7`kL*cUohZ-LUcQ@t!SZtQ&~D%LL_ zIZ@B-8WoP3>(}2dl5Q5xoAZ5z3p=y2)!pkhEGo>z()Bvt7E*r~J7f66R|McMPCvUq z>SAIge0lHbBxt5GLFC)uEtP5G?JRe1ow{yqM`=aq-w0ht*s&G04R+upZO4n-h#IC~ zb|rJ9^}Z0_|4zFRHT;+OLfqJutganph1l^61JCufikw|-^*3xrH) zM`?xFvlV3wY{QEyulb5P!j5i)cBodgqqNoozS3I}RyRU3z}mhtITT#U90^7@LeFhQ zZF45Sd=+>bUR?9`dekt2`T9S__c6I#$s7^>MY(*9l1{uHHC$=%QSQ^!xH6$S zk~uUhK@bnHumDg%B{8F46<#moG)G^{Kg4|mb}Vhc=*O7Ek0rPyUI?FK1?>O|_@Zwd z(JzN#|K$!S+CbVUy%_x%p&kDN&Pl+X{9^e29Fj2q~R1b3gXQv9{0PMIa+!+** zS=jzhk0q$TV8=>=U(GCY82zdc55A57;LcxV7C?1DHZU{bbF2jSzT)s1@Hyo|t^YBe z4u~!q5I)BW(g_q`W01|}H@T6u3}Jt^hL%2JK~b0x`5iTlY4r}-1T^D>1-{&|EJ%;y zTq>#p1UMyCQC%P=K*h$jkFw`$A}n`bF_k(Q2$q5d2R1@M{CzG#(SHy+bRzvm70v?5 z&ziI}K|V@#&BFpFgLnij9~5Y;6Xy9Z{k#1a`j=z-ALu_k)hOV<(*OQ!b24KBj==(? zIBFhOKWhK*kw3O>xLeDhq8pM){UpG}O9*794>xtmC@3st07ynMrdhCm`LmYzozW17W0IfI!eRB#vM zX9WjRp^QKPEtk?iM<^tpv2hrcPukVRh*ev^2hkcc`%b{HGr`#jMe4l6`&G-cstDFOrk|szwPho~ueM%^@NkO25U$O}X`}!ARw5 zUEG?6*eSucdv{p7t8c=JH2H`8cQgaWIyjfIQO~3qEAkw_1^z?CZkrfmu8a`oE|Roye0#i4j?#LFWMjY305DkpDe) z9$Tk0RbnWmVb04LT#G2aS5wZu0Jp6_`CO2th~gtn zuzwSo^Y&kVp|VZw)$&Edf7qXo3M4m}3SrM*I|?!qZk-UGJ-d7-w~yIaUG_2|$MA4Y zM1bAa=K?!!hieh{7_$!z=!L(B11ojwz_cOJ)8GK&oW(dh2s__{FyDjn6H?LTZBo%p zcE%gOXKnyF!8)W0@L!Z`kBQU$_!(9QBPECT4n3Srh~@5SPd7=Bmyk^!NqAFJAVRJN&@>UkQ%_-e6qBHp=rLzjVYPdw?^HYAeFV@7Nzr1ofS zto7SOjy32sE0un3o?jqUxN%Y`ZC-@+!ltOj{iQ}yPl~N|!J%{pZ;Wn!D6*&GVveAS56Zr_FglcVc<0$Vc=Dv+pTaAXv zc{pIj_6Le$xVIH$EB=$2as(gU5-ELVqm|W3mD+{*PSqktB`4LR!NCz=cO!G`QEX78 z+o`o#`=ww!w>X_DiKejFl_Tqs`*qtk&KBIES<+RcMY|x~aGhcH0@K1Z0suR{L7FL@ z-7eM^CG8pk_z~JJwz@(3*Ea5Z=ojV$Z1QV4`4iAA$+_dyEO{jOmD%tGwCUNmjbrR- z(JmOvxxhT3t@w)S1~@iL+F_j8#$C{Fe5Kn4x-?4``~BM!VSa;DH^i}7vR%6Xuf*xg zpZQ&2o-lB^MgYKZzlyg(PHvFu2L6lM_!@;0#x(*!m(niQhH&l_lAGNKg+_{nYA)?U z;_odCrVFA=7Yd(q7Hkg+m|*@7)^0;hfzSC_I0ZS~sCWW)yejl{xpo2tK*fDI$c!)N z9>(Zb1)B|@Gv@!F07k#bfDy>)Bm*4~U7UHyX;nkre|G4ET0z<>jdVeD%}&00GzztY zw4qObHN!1|&nXxAV)G@zf6F)vVhJ`w9)TU>PJbOjmcafw87TZ8IbjK62kcm@M+Za~ zZ~5q3j+3j%chL10+hJ2jEvXao{3zh>-K2BMMkO$0eyZ9o0j&3o@$FcNNcnq+$<$y8 z&~aEu|9w>C^b_|&!9B44!+Tzg{l5;8vIPLO=2~fOCIkmGa(5%1y4Xm%Qie_`Q+#0b z?D&{`sSuGJ6r|zcW6(B1H0$tB;Xv5cl^KCu<{d5>-afV1Vf&$F)ojY4?|2y4-Z40F@x>U z?R$X|=3Yb?4TYkT<3v%HI%=JczOi@L`M8%)hNvK`G`Rd|!36B0oSgdUlF9tqmgk?y zA=U(-om7z18=tO^4|?Ydub&aROP}46v+usq!9?~ce%Ob*_HZP6NdCK;FraO%INK=& z4^{#8_z^Rft_Jkm4vdWdN&=&T!G-DNP7Q?7dr~J<>I2_m2_Kp}u~;4q1NePJ`;=io z;jz2M^yo%Kzje_Di{PUY!SCU!*=^Xi{9Kb(UL;ZaR#;XFq%lFoBg<|lhD5DD<`Ck7 z4Fy`WV=mg>HqH7esQpOt`g+J_uT z*?H-BiC7;kDy0HpQW6yGHzXk`u%tNpu6imjdFGac{(!VE$Ak4hpR@TEg3mjQ~HD**2?IGlNy7qMuw<8 z+P@Vvak5tKgN2X5lZoKItyvnouIEVHaBj5GW3{tgaSzw&)hjnAxkogBs|cyj*d;>R ztFbUqFC1h9K(LTo_xD2t0V!9`V~t6!+FFl$21&JxF)t2PF?sFLjYtyz(z95dX{+mR ziO)|`EKGzUg>+Tpe(FZ}U(!X0quLF%hr?*CB%|tk-0|97X}FS2_9Ao9;{QT;*g%cw z<60EU8+kmIvPG08k~_|DAbLXdKt&~SGD<=YE0&)_9l`IpR0aNsr>b$9%2HRJBRs&s zpY4#cC?{_S*xHn@&zS;|MQL_E_L%#C_0g-+3gNP;GHi12nYBQWFCOujw(SfVCvI~2DuycOU7asqKSWX)c16H>*`oVz0q!My7y{+ zu;bfz|M@3ZrwlXGpOcLJYIdSS!~8r9$eGw+krhVK9VcOTMHNw7^0u& zf>W3mrdSG;37SAz^R{A4Pia*~UxAY>J*k~IF`P_W8mqw;*XPrLu z==<<6x<>LXo-Ty}r@g{+$HPO9H9H6m;KM$#<@5)%l|xyj>c04~Cj+BIcTl9&m-!#)Wx^I+Q zl|TAA5@_sMNVZL1)pb3+lg^3h`Xeee9d~h*noze3Rj-jiVs$MKUY?uRsC;H&4KCgO zDl7PGR(RM&$cRClGQ(;fInnqkyzxpU;c;oLnC)CX3FW-9){2{7O8pGZ&ur3b6yr*x zeCv8&wKbdiiX1Z@Ji1Grl^-XnEX_kjb-|h>H5SzV!#gTHtNF!ey)aE(Fi_8mDXU&Fh=06as)Y{yn5h z!o%%nHkaE)uYEZRfX>%V7-`^#xI9h*#@~7Nw2q+el?b{=W|@or#mN}$Da6FllOJNl z{t`gTKiOOlhO0(eR%ABSBS4sqV-pk^2`oEJ5VVHJjt8? zp9Xrev_D@_PaG_eFZUX%(^eRW@<$%cLGO-h*u&R_%w6An9~v#svs&n;v=5Zk26ev4 z=vT-o3@fM<)vgxjjL#GDk6}d2I5uZITJ|WVj;>~nw6)?GLzKNG8w6);J-a=zRm?z5 zAU^oLoXp453b}L9^rP5og3=sz@J-cUDRaUha+C^lL}kf)1+Z>am87^_Hyv$fHGv=v zjCMN*=Mqs0gAoOf4;lV^kdf?yFDY6!n;)vP>c#x}6edL)b76udPJ^V*(2alym#RBM zH8oD9U}`u(I4AvA@pqce{IO|tD65Z^QQQ-AgY3zfP{u&IxoG+eNj9*J`G%r;A-wE# zv?&FV4%0*oj!^A<nr=%bK(z<3)&l{*N-zns_FASbZE6~iggWT`Oa z_x&{zEP}APsYcVOWt-M_r<;*p)qe9eIRkAaaLJSA{7#u93Z-9^*^Jur}e`7EPbxWWFS?-JVxB?i(MM-GJBbZpoK|_brN_ zrindGhvO*svp&tM3|W5(M%0r!01mCoJ1w1RE5d@HJO&4Xz zTPW*m-&gHx0VdZ+J)ZYZ3MKU^X)JBK{0;3UpVb$8PpQW?@cX%ur-I>v>WwCErI}B8 zdBm8ltZ(_-n`1TopMNh2&lg`lZ{M+OKaL^_hGJ%{Xvq=#NL_qu?x83GrXgSGfG9V~ zDL?y3Oho|LaKR8DFRDY;p<7wJ-!t!N(%7OG>31yWQ3IJq;E<;=b|O!QXM4Io?yGy0 zNK{IY5d-oPa6S!LY1Q&V;7OB5WTFn7pYswq!ocZs3li>%$@T2{4*or&c+?kg49}FS|J^1K#@~OhXQGw)uYZbG{KqUx&Y#LSx$hk@tq}Q3JCl*#4 z=4E2GN5`&cP@C!6mAu^Sn_q;}rZv|pte3(F)ko{s`9ZBnt|qp#H&YllrRx zI=znAdOMBFgG#|w+tQDsrAPC)sz}Or}PVZE|hT#2T09SUvdQ;woF3cvPJ5EzPQF$*j+`t7+nzO~G>uq+5Mv z27yW_YR*c74FdsSigt+T$GF(jwKOdicive+oD-<1P=C&H-H4@bEKf9BVGW7Tw2d!a40+_t zQ|5E;B{$jNsm4Srcjg3m;pu$Q@*G6@jh3k3$cGap4rfZfBDvsP;>Qk30M)9O322o? z`K<~ivtIeYS6i*CD?CGL%!ZGt=2l7 zu|fH+6gdBu*FGE1E#FKz)PmjWd!tTi{1>@J$1TnO6uY8z&L=}Te?5~@iC>gJlD|Wh z8?$&WpXcnZJ;fo+9CgAkxvWwhS*9^r#(Jc~NBvAYC=1r$K(Xbw*vDQ7%?ZV9S64%F zs5>=kwd9LJ%Mk}pqILf4k&5SMTGsHZOzn=Q)DL_nqolV^1;*3=3F|OS`K_0RuvD0Fhx*y(MyY##T{j!h~F@Nt*D1} zmS$eAFm9b#!U_BeDFKmDt5-08nE+ny6weAZ;rhIL9?dtgh9F5%>O*E|#Chm`HxS-~ zPd1=>3UIX*QH*@Ly58;Mn+eO~R4jI`V-F6DAu@zo7E(X z*m4GRz6l%{I^C~|U$)_3ER@W^@PVcfx@rY5s@;5hQ~0FsjZpQY-Mv3944b zT%%y0O`hVdCekqcx!uOxO52&m1O3?cton4N0mlJ2{{4m}x)omXkiGZ{sAMwW{bn+K zGuMxLlMi~&x5-TUlbtx;I32<;d_;Vlk_aa-xeki6w|t5srr&EWiOz|hK0d5JW?x-f ze6KvAx__*8BCuw^Fqu^@G?2Dq%q6ybc&7ytbv_@QzwOU^@^N&_e{|m_%(;fxjYpik z&fQX($t#Xd0d(tAiyKXxg4WFGqbyu`*F9Oh_07cx^mWV6+UgYGSM2=UKYn|+ zz)3GtbucgH$1g&b1G+?rFMF(3HYlDv*SSQ`JZc55*Hu=i&L(0V$*4&&#jL`CS{7=c zEJlxw-x;sGY`0YkYNe^Fa->5oTNWPL+F1M$GyXB?v1L1?Jdi>&qU@b(Y{7ku)yC&! zx5)P!S$sfPPPiG1Vf0i<#OE(0Q?icZ2t_jB-eu#m&RNfxIrEBMI+?jP)}2Qm!=RPro~?qT#j+=zSxQRrW;=Ch zO@tEfC<}%Ml2{OZyPX3jC`BrU5?e)@P5aze+$&!2``Dh99$|xA1wuQgQq_CESNpUfaI?K;aWTwy$X{xY> zNME7ZCNK(a@{Z3GLv<2xAO${rb7@hsYUPFly30RMr)b4@O#@5vM@9>jWxTf{`W-}i z0Z}|wu(K`~`7|IHiRr3Y+l3Zmtnp;Nv+oc zJs^{$PlqUL-dy$&Fz{#dR{&Y5P;Q}dWD$`%(Mqg%d z;Pr9EuaX6P<0RKScJR+jEx)=AHW6AahofKf^YCzfOi8ggvbZpJoJb$FmWL z=nSN(W_}7FT=wTFiw$7uZu5S-gbH%yA2IDVTh)YMMXou?bnlzThUfCseqMq@MoluP zdGUU-TK3j}pgDP!z976I7zRuaJl9zBrwjXy9*3$~P4Te@cVkXm<&>PJfmugRX>@O% zXPOo|AZ~QOMmYIMLlhW=X}VXe@>IXB*Fd^m@k^RZVhWDmA2z{pFV-iHy<(G5OSJv; zcRqBjDQ&>o1WRO$~ zEli?t(e^82hzg$ZPvn{akHEoiW-VShDXAt&?u(F21^m13T)%6hhuvjx$dSR2<--1e z#Dg58b(1u&Rr-VEhoQvqm)J33XfM4+uhF_ysRe`8dk|mnIRr2X|1sdfn$gK+{L}!K z#M*-F`4BO_VTmr$f({hy`C-W0>f!#q?d?Y9ain$|*WUNTj`u`Q-=J&k9e*pz^Ft`z zar5j7Gzx03i518g*R+d2B+=Yh-;$kW?~#tqFwA!B!w>4#mGF(!d>{l7E)ci%`9H>?%gVEhZAA; zu;&ObmP@(4Rj3)?VjV6~cpbbKm;qz8(W)NLj2dxP&~)-UXS`Dtt^jCAtY)mD{NSMN zd|hreXy?SfMw!M#seY|U7J)$0oyon)nn6OlqRUx^eB%ikq6EIbkT7oKvQ0C&Z7zZKh z2=CVR7kZ|MHhu2)TX3}DP<~KJs7%7-qV~dq!YBHl%Vf$6D6YL0RJ6!1Wmc+T^MsVW zsu=&lD*ghy&i07y^AOMT(*;a}*fF!WwJD9!){3EP_5i;w$7j*a`FQ`@#>1mVpYz0J z?y0Hpid!$oiTGIbIKSJ)Rw&!?(J<+AV5Q}}y)j{UggAQSRExg? z3ttKLOU=6RxK2pr&FqoWdO_QpybkNEg=?3d=s+xcWn9d0z*^j#uk;J->(| zVFT1cVgtp?gBs;>nD+U>sS$m#xSj3z#A)nzBd>NfE#)#dyYUz7Q1f6G!fh3#j>j7H z-0``}CM%IXO)f}t^mQv0U!h^D1eIb3y|l*>U$!+BKEg>ldaf=f&%3HKxf5$Gy^#b1 z;dLr`r@Tq3UnV=UpQfsr!Y-UK3f;KfhkjuAIo zddVW@5_?rpE&TEzXYdA*T=RAw5ZW@*(kL$Q@LEMh4oZG!f(LEN2{;>CUG>;`&$*jt zasOP#^r%1btE0NlU_^!+zwTLNLYZ1m=?u5BS+&|QMsXDqkZl#T6&1Npz=#zOf`HHU zFOqPwbQBj!99I$P{xvHrJb(r0w?tV^+yF7G`Sa?G!<+WWa0_|G-pP7}RY&%yH1lL7 zJm~w#8ay&9p?7^lVj0uuVb{G%8mN$ilYPX-|E0t9=hefG4jDxzD;d)B{Rzw6tt0U{ zwq0n)3hZ07V-Gtg?41Y%_#iJDu>r=enNDBGrC0NUPkL$8!px@nF9j2RpSdGA4+8}Q zXHvW-NdBC9ym>=0Nyc*-12vd^4ZAQD?QZc%?~5&8K-oQjG&05&r?3yevnc?0IN#l! zeDO2bZR_!={r-+a3lpbYA6;H@gvIAmE^n~MYV>(XT9^u@+l7Radv8}D@LEz6gB)o{ z>qn2AQOtE@U3oONli#E0Ky=7`VxN&X_!BSUG7fAn^$Ha=m$Q)O`+3r97Z=snqMnu! zlam}>!Jp<*spNQ(%~Od((~qn^I2S4%AC)oR2dFxl%bX3fUX+FP*yPf&iIn$|rNynr zuEc9p@aV8iy1i^ZJbJ=HAH*eYGOkD>(zKs5!lURo@cs6d<~xg6>1~|lK5s1Tr4Xd7 zCAUErsAodbvX@7*)l;}~VhPb42{AMYWXko7Yn{SD$zQRgyLZ9Fp0E}1+)0g2D%vUi-YA#}Y zZb~Kr+iNi--=G}Y0Xz9F>Y0FxMukiOfGm6C12Jn@9CTv(s7g`7r_{kkAT*nzoM&no z)9k^)ui%4dw^b)r914q|hmbEbF<;Zs!4dIE z&~5pb=fjc)P>Y1hsLOHe95SDioS8Phh0uTe)=)#LX=;EK#3P3fL2smn?#`9%TunOt z3Hj>*Q}$2_T1(4b3jE0`s`)a`P31YHOnHFH4yi}r?FpOqAW5S<=psFuba%>fmSSeF+K|d2m$&A4m_vg9#09(82m>HwO zN$6;hnW@l&(C`nzq%(_kH^{o6A*NJ>MA+UZYTSR)nIRa{es3Iz<4)aLp^-sECasP3 zUb7-6-l+R0Q`$Q5J`vtwY7!c_DFNSEg*f>{H@1R59aRONC3sbyZ{V1+4DxpPWOr*X-7;~V}|(qF=bP<4@KLy=+M>RsM95D2-Z_{KCl$Vauu ziE9tF4+n-T)fzRzVSkzIA2m`4;;~R|gTazE<&W>$WjiAzBi;{XLrr{%BVAK?5M+Qq z(bMwu6cJ(iC}Hdf9O;!1Q*8IK?72>teOpFZS?rDh&y9!64MEKf!OaaJ34tA_2)@wwm4N%)S6G3f)N&+z&X#ikFZ~~i|I$paGgM$tRh3ZYWFT`my1dl^N-Ln z&pXU0($Qn?uZP zCYrWeDh7&6UgT%r%-SgYO6zlc0JF`Bo8y|u+RMpJw>j)B!5FrXCPo2cVKV}Ntye(0 z-{(b+pTkE%b@OXoIZNrK}?_g)rS@C1wp)8!xo#k7T`MTUVE3kL=qu zfR`uryBR-+wrMuNdmN9(!AThjR&;7{VhA+Gk(AraBjX5(;VtU$&0M}Gx$3mXkJ>w= zKjrDX3uLj6p3p=6TGke<2>#pUzgg>^6%Vz4`|-+LOr8Z!*>v)JZNvKryr@7Uv@oW_ zxp!LoQUs7c=%GtWi9RLQzTNKW7nMP%p?T3%G4vF8Zs8kXHdR&338|KG((eGhR`R%T zqHb}EbXobe`=AE!Y{l^H>^?zUmO`r8*892)zf~pC)x+-{J@!zDcqtWKfw9%Rs^^da z_{2(KYu1|}`o@+Aic_JPTAzjY;HHxF%H7b{{M<{Z$b)9Y$%4ezp)#YuS5Fc2EVtra9Thc z&nfm@26ubX6nKaV52cY%9Q=jFoSIg|f%+Hp$g;GVlWJc`#2H4*GQdmmzXs8WJle?o>CxCP6$*ZnP5y(Xi=*lw`QtfmrVE zEghy6TeLJdtS(N9v`{+wsr+h((Mqg;)of{MPT4IfDtIN!ZWj?AenWKFzXCTM7n@1J z$jlaNYa5gbS!h3wr9MsT0Q!ArVMWtLM^K<}P;@H_ho`Ct68_cyy{L@#KF=*i^g9F+ zoJy#3Wc0L<@jT<`uxNf*dK7{L26;R~e($mAbz53~*i4(!8VSEecbP!+^M>rxB!xNF zz(VpP{M5HUwEke)y)em01UQ>pX=EFC;e>ofb0CM?X;@bbV}eP6N|z~C z;7n@nHaK-Y&dO1NXwp!!Gmwh=bIuC3u}yjep5{WF@Pn7;cpEj55YDDB&!eA=id=q| z3my`4_PB{OUekm^HfmF*Un#7F+$0>U1Y#)@tzN_;TR4G`B>`-zGWR(G*Ql_RMK&$% zhdpB1p&==+=`82DYVVzhe-UINgOnxShC>}ercr&_IcWgFWgJXKCQMd1Q<6fKb88U! zFTVQgm4cuZK`AUtyx5}AN&g8*QkOkfWl?Zm9Xa8>Sn6RJYVs&$)IUKrty6=g*ig)V zOm$%JpBm|y1&W%U?yrW71=P3_8nYY7zdN}i}H-(>UsW$yytzYY&;xj?dJU`t@C zz^N0}k1GB!u-yf%jE>NKu znRGPLXWp0e_7_g|ter)%H;3V9pUj^foo>_*(iy^282B0W4=u$2K$imlc-$`}x5Zlp?ZxsS}s#!1zrTWUV%L)}&(? zIa4NXNdh}d(=eL_83Si(FQMTfn@LEkzcYxH*$P+00@6||J>xu0leqEXZoZy~q2+HcS`CA8%zW4i zV&5XOS8D>5(C9zRm9n@{>H#e76D`N!w-iKd4i^C{=l6YtsT;(oJ||^w7_lvuX346u zCdE8jJc4(+Bulp0k`}!vs!QH3JDCW)k(Iq9ycW);X7dD6$n5fiWn$cLl)~V5pWIFD zrcm?h{m>G#S?QpxVAgc30ViTI6-A^+t7D=H^@Zr7dw;8NIa4 z%;Z4~xlVg2tV2=qsPyDSTOC`4(0l^W=_5q!)$=f>`kbWQkB3;K!)C)~rfQXVmzq`u zD4xdlT$=sqFjMSl5~&swh{cjWSNl3^vPRX=B`aD z_-TLUJTuH+>I>rApTFgDpm#Ht5yZrmjoNOTP%}5LPT}a-S(q6UAAYHH915EvkBDTi zPFORr$eu|TdW&&~!xh@|t<_Y}!X4qS?@5K`))GVsvNT@M)4CgTHAATJ0k{@#_Isu+ z_anj3K99!{vg1bV4vtEGe;+l)ma7zX_+n2M)Z%N3H@v1ma8>+s(*D{WcGR3)?hSpI z3~c{xL6eBfGKiGX-ZWa#)MlYcp~jORZp0TS1B3G3O}as67+Gc623r$!eDm7V0s{WWMOc*6`_uxt_O_t{?m}NZ6NLNsc^Y6MKh4I zYDyvZ+d@wxP7qW|FMCRrT3=?-vc|Y z&jl_J&;DxkpvEC*FVKN&YZ-S?S9AOj76fl*HXxuF3AdgcR0 z(Fhp+Cx`vJ_ILif^* zFFrRa%vpuhDN}V>#kx5(&+2abSh%-Z_``H-CS=`}3rC&Hx|T?+mr;c$TV=0MIow z^)t6z(QG%u{^weggdub?qwK5;h!hBMD;WHkvY;^YGa9r*fXz5kuc>&4A(7~0N7WKu zWc1oIYXnNbP0w%^gp~GnsIxGQ%L4hD1vVe8YZk`LcEy&u~ozH z*4V>2dI;VTZ*SX2XvIUC$@!6(t(m}saQ(SS1de1zB z2$Ml<7%bu$&6;<*e!J9t`3;SK98AOfXtd|r{WiLh(!r$Sy z&9@~|zz~1bG78(D-&! zWRQ1tCK|2PEyv*qQKE=zQ{xMbSHxhng3% zJ@Fv>J#XAs-CZzRO~*HQ&j)|ViC2P`qr?s61f>3yB5|%BeqNeN^1MGhw61$v`p9ZrgW(~7RWAgJACLnRFm#KYN}E8&kS#}oE@zXlXA0hwaFrpNd|@-5NpkGJc7(P0MY_ z2c^EjLrtj7&d6EDr(+hx&FkiYDPjZU<+v0eF>7$7LHJd|;SL=CH!++010-ey&;KQ6m54xM*6_ML zsVa(4wgS|T0z>S8G#Og=K??8 z*o-v;`Ld0mB`;4#)nuv~r>NAKxLK$u?cX}%Sa~@ESrbonS{GKIm)?s_^8+atn>-A> zPS9U|u~RwMkx0;Dh?i@B(J9KTa6!GLQQ9j!y_Ft`_IJc2q?xic3)NU6QFT6R%R$M4 z|F4|v)+2%4e;`|C_g|0&3nP~1M43X5>JLr%ZQrtfR8n&4*Re_eewFDeKa&l762KUvhN zvwCBQ=k6|mD;RC|sPY5eX91ExfL(%8G`8R{L+-Rh0Rf-HfOy&fN7otMQLYV_NdC?o zIt7t52$oXLdwBOX5jqUUSPp9hR>7qKHIGXSjGfH)Z!sKL;MVc$ zh2`zx#lauBE6>=I-DH%vnJ5h6ehaMNKIo|ky&`D>U}2Fuh8+fBHsgG&AYRyOIq;@- zSwOxFm&nGR%o`4Omy9^0KBs`{%a* zlf(4~;!S4W4+@)^UV%>?Pg>Ec!=KZBf!Lo{vgTa*LyVoGM7q&&3R1lte|XRQhr^6; zYpPOJh|KcgZiPF4H}jK$`5`5R(zj9y&lij9H zK`jX~;{9YJOoa%8p5+>YEp?r~MhUf~|0u$SXZhIzRtJr0##r67T$9m>o@+*P_j@A5 zB+*p*`_YkY?OA+?R8X~*aD8QY4MsGvv}pv3@Q zWw&gX-!Na7fo1MAqgHtWeZ9ju)0zziC)lcQ-82Eg!SgAg9ie+I6MC2LRsh15Oy`G&-#;AhE>E2WZc^$8je0m}i$DKcu%?nC*owNH&U*(ItToKB5QZJLqaW*a5#AD( z9o}kS$3C_kombBkwz>(T#5GcebTeiOgsz;K@$bby4DL|XqK3un@AZ3{oh>hSTt}B0 zoVW_N`KF^c1i8W1qO&Nk0+13+SsXI$**C&8f!zlcQ@l(Pw&6YtcRpIr8OjPQd)6QQ zxxYd@6ds0#RnS>QX$3A-CM@8kjr;z9AFjVxP36;N28%rEAFWu-OwhSpoa&xocIZA46&yRPDk`2@ZdP1lK2df~cC{OTCqApYAt)ZG zZiYtXOPGlWmC=09>8JUi#HBv{R{9pJa-VHmO8Grw9G2lBt+G|`fEHcmclO+J_P(pa zfeJU^*KTZeA`-qCXfGpR+diiy@(#ej{f*;qJ!yeub^ab1cBecXIx|G_#BoZvPhIz` zKGk(9t+`(pVM@0i8_3%P6k&sXuOgl?fpZtX@0D7R-RhI3%nDJsN)84&D8?5CBwH&+ z22{;o(BC7|LxZ$hy`o@PR?nbgM)j0L~#y8+A>UHa@z5Be1S&!W$$dd!`QUvx2Qj-5?0ul zy?31j>9Nee&s2!95JUzW?+TxDSG|#*cc4c6eZfm3ITx6<=0D9a1pYO3u)G?n)kAnP zjzgnxN|;rYr6YGk!*PKXKE8OY2ecE4In(mkPThD_?s~#Oh}6ZxXA(O^Nc|~_OA~N2 zXf|+ju0=+Hf8#}5;%c*O&bTm_=x=ekCJF#G*8f!8?kW;PY>a?!xD;cyWppR=>U}y^ zh~OOONg7XD3P!qNkld%3H13Kh(b?U8Q5dH^#K|{~Zgfe`a-Nvs%|ct2jC^NbJ?P2I zHgCDJA$7NG&%JM6(I~$#3wUKc56Jkm&rcx2`V*K&>{4|(k${tInjHPqoOL3Ko~)7j z@~|grKINbgqbLe&v6)t=shb*Ph8OYV*pQ9*+KMPr`t)*OA#qlmE7wqcz*2FN#&A+z z7q+`}A#-`KURU(0$o%AeLUPX5E<05R1LYvqI$ni=2DeMIH8&F1DE)PD_Qy+vSN)g` zZPIuouaEBa(tBgljg`BBxtMAI1rsKG-?0Rh{-!#OLy5MBh}cnpGcw_@FRkj}U9vzk zBC~7()qQBaKskq$SZycMT3b=t*J*77gXEKneef2=c@#TEWD>J>$E9k;km<3BDE5WZ z`Bf8*lJR~mVb6C2G7@PqdGPV~S#VFMJ>~u-PxRz3oy>FxqZS@#>Fu=3tb%%up7EP{ z1wRqT=de#c_$1KX+_wU564-YTw@th04MPGpxjitmVrlW|8ClB= z?~`rJrl*sHbo=M6(0U9P(N{he>RBtm0c`>%Q`{l`9+!}i0XbG35}x^wQblRz&i=|1 zw`P;d`-(g|dtX}`;p_}hF4M>Sd;`uUQt6Mw3xq!6{VAQo5$A}UDGf`=B|}f&h_IY# zm7vZOnHnp&g6GUHw?X#ll`a)mMY z8B_#szhMcgB|Erhu1@xM8JAo8fps;rpk%DgA~jXHV<{@IUSLU3Sfxg1DO7-r6k3UE zfIR_Sdy&1nuPfNbUGZm|F&CyN6RZalLZJa~Ag3%=J>G{6xysz6*@XPaud&x_Wa;nD#yF4Fo$4^8nxhJ@_oe`+iR_o&&h~9C9%40sH5T z7x%zz+df~ap)ncZ-M?tEJ}L|LGo=L@C}Dy6fu@1L4>iJg5|#LqK=`WYs67k#KFiab zu`m|ES6cS(my(Hh_sT%juj}9fUYC1t;KCL2!5E?4)WzNqH<##F+POxI<75vs^^;~; zv=TV|!OU#qUlRvipuiz`5lfm@^R{6==%+}qL1yM9zIk+{>PuBans7pwAr3e~`o`iR zg~7=l&ZxQxfOJ$Pb&`$QUZmO=wp&T;xo?ARLPfL9x-f85VEtrkU5G?Fwewnn(d1al z_P*bq>eg&Pw<16rzFeBt<@ZjROemK*20r!b#%U(Ib@r{S@4BWbZi-j~rN{C#IfzKM5Muhqg zZ)7wamnyYT?w`jyi$^BY+GC_tA6l(rJo?c?6y2${>OKbmhz(;*+%F57GG$G6Cium* zYFp5{(PNm|BX8C|O=`zs7&Di$(U%~LVCM(;Wwxk{leMK8PEnC@v3_UgyvI$`AcqhU zh+Q;!>rr_uc*w#$7Ys8b1dkr$*EBYn$a?3z!%+0rLA;8}igqw&MK;TZf$z0YD$*iN zTmni&*l5QLz%EEgC9I9)9d1Pz_OM4q4J#$13@eN-oZv8NT`yR*?t@14ihAe@*9zXC zxn3w)$86^$#i1bYXR|J@G2=B8AuCdIzAtXa(pZWOMZ`AuKFzD>oN|s>gz6hasmZBw zR6Am0(^0le6K)MIbG910XrrOv2*`&+2@r7AsY(vAf?13IZYNDBCMdV9T`Ax0Ob)ZI3KfTK z#;kJ=a=+nfs($$^h*;QmL`BohI` zo7hrWV=6PKB#IpJgsKi5)Uh=K<#vKclKN~_))@5c9LaIu%0Z8JW_&i$#hHv(Na_gj zO?=@Kk3xrFXrf*0OQ!bK_8e+)jto1m!h~=3H)LLl#9Tkqh{T>8>IT2Jc!4hp(O9h4 zZ)X;2%^!~k_K{SFC{=iF0EKYsGE3N@-}N!l(TGGVplp3QDAf!6%9Dy9*YLBVKU|wn z!qZW#B#+GW3?z?E6cHnaT&|TqbzIQ%8k2dSRrka58TWtV6XX9(&BHbhdxloTAWXgm zaQVxGi5yUb^6vg=vEudm%C1B)11dqSN;TmJQwJ&8b5_sgN#_TTo#bk;+ZE%+s|Z54 zghaSvn>6XRW*zzDR+&O$s70l}9;p9lMyoRdAK)dqMJ@sRe!ptp49&!=Gxiv4RGOJ| zAr20L4JHLo2m>Mm9j7{BYi0N~l_Zb(fTFm+|1zAT>kPEkTRd>I+DtJ6TrdEg18+@E>lz zZkKNs^Q*y6Jv*x}SGdpe6)w=sInS8$H1YJSL*iTpq54l(BR_6&x3Q0RZe!#V`l&|v80uhG6jE+OZXZd_d^K|e zQwMqsiop(pUFOIUs8`PU5ms+ y;<2RR!MGPJ__zIc5~4Sj7cG}E!k$O!Sg(z}Y{1|V020`-4`@RZkOd(H1NmQEw^1wr literal 0 HcmV?d00001 diff --git a/deployments/helm/kubearmor-1.3.1.tgz b/deployments/helm/kubearmor-1.3.1.tgz new file mode 100755 index 0000000000000000000000000000000000000000..ae7883d255a2239331386fcfab30fcfe21449844 GIT binary patch literal 12496 zcmaL8WpGnc3O_F1mrv>s$@g*}adLWs})!WBvscye-K~FGsoazccYP_rxf< zS3B7|D?_EE2AJU-0ZMTk}f9Lw_ScDVAQ<}Y9 zev7%l72b>`=DBxn_Hgm42CQGY-#WZq92_PmH{PdPTqZBvN8eLjCgV^s8uEc%e#cOG zqRldP2godvxJbtYFV;FUatbATR08P7FBe4Cw)9lA6g%(5+ zKp2L49UKt1gE)49-j7X)LHEGfrzE%J@iI`KZ@UV{xE|o;=KYzjd5m*>Y3?|Y`P*VD z#0S=SH;2s_5-1PXwLcCnvaM(j_p$OVVc%&8J7NioVMopn+p#3(MY?gb44jCBa2NE0C`SbiDyT zD=gs4=s65u-0u(g$o+VCo|ZIY&XvhwMmXSwuSkDkXnvzc{MU z%l@n~RQlzdLI6vhUPFyGURz$>kGaQW3_D~K7wk5lxv$A8f>&X_9Tdwk+-QR-6K@qyAVx_-7{*t@%i4#Acwn>31)&6eEE~`A5e6fJ$*<4iM!9(_~4<5}cL?Em%3ZCL+Igiro)G z?}QH#Wm4ZYR0Sd6w>3rL6Dc}DI}q+UA7z;k5@A6i%6B`j#u#Rj8^wyamFU>+tIxs~AC>d{6dDzMV6&)P}F~r~M%+v#rws6=Jj*Y3t`%bua!Lq-E0NxKo+pAuJiD z(TYh*6gIklwDYMN>2GD|1&+B)DmV-J>377W5Y~9sUi9E5bs2P52;i@rjppC#yEQ`w zA_dam)@FU+hQi1dl>HjmbVdC#L~`i$d2)-=p-|}*61bz@N>~R>WV=4+iUvyJo8S%D zvQo0{1E?57KPGLGRe>Dgu5VMx+t!x!QaiYPapnb@Z>c-J%)kZBglMw+?}QvDwHSKS{h{xRgI1EalGgH>mRo!nuy_4ym7mE3FqDP01sp zWU-@X+C62sM9T1QwUP>dvv2&|2(ePQCbS@6hj2TKK>}t>pWqxS`Ck)~!|jg-2+TRZAT7f4YzQv#+W0lT6YxaCbX--&dc@ zpIU3{k0u+6tbbE*Dww2+SIu?M_IlEL;oV4|pnK)caprlfK1)%{S?3V!dF}FCJlkI! zDWB?II)VZwCBqG;{uwQksKIeQd%!KlV3D10v))%5DW4?PH|sG%QETD265Eda{No}_ z6fg5dvXJHcT_G`>?1SpteD`ZfxIoaMah~1H&C%bq<(pFbTK0a5K2!G?h#A~Po}of8RWeY#XD25t{pbs6 zOP|2mtAKpO%2aO24eo0h=nDZpRlrd@)p~Av^Wrji-!+nMmM*Y*Y{P6<+61B1%1v-e zibsv`p0CJA%S~276V!J+W0+Cd zoixk~!CDBc#1Vl=>8V~a1U@V=JEO%M&On(YvmMLDKJufA?#?XfMzkw*tW!`r0if0> zp+=auDZdIiNu{5yus-_usgTG7IK)XV2(|};%O^9*b79+^(^OWU+P<=_6}#VSe>o3V zb+=PFPKlmOM?b5unxBMCB#T#Kk(2co^iAHg?8m*o)IFc+6yK<2-E`P+jhIw-IyiA9 zW>RT0bbEh<+$g~!?p0b|=qg}iz)+X}ytTBKo>H)u+6G_z_L2EB_s{R#h74}aWD-nA zk|QnR(n?7(BYt$SjFWxUmm~ztFD!AqSAc0}%*ObK%t@cf7;`a7a!B142Rh9H&pZ`u zBNfLKgom;-UoV|;tsrcx8PytW{8Lfw(#gK63NK2mh=_-x4;f?x?`T+2gqW*wTHUBN z(+JhRtT=`IYw~HETR~KWi7+(+gS6)ct2BKlz7-(tJ&=>fvuFY!_Z-m0$IUnmY&Fc~ z1_EvP+TR2f@NI+{c=OstsvZlbr#1<_Gb^vyENEjWxm_}%ErfJQr!40GHiS$3Azu|4 z&n}nN3YfwRK~+%7xYF5rtz?QrfJw9QqZOR=jq)gwqUBkGSnE{-YWL~7_|rYs{sAU0 zMB{Ys1EUd2frf`;XM!=zuhgiCy?^cV(jA2h-AY{}OEQeyLKQT&NJ-W5g!14&mfIiA zBdEDfuY1mQw-&X_Togxb)skpz9UfNQsbxVd@H zuG*a<9gPt?kyi*?^DH}yn|QTzHW;nUpsh18$*w^82(E?9hdTSRcq95*Rg>f25nOqx zfF$vKs712poQmA|=OVapKoXk`wbdVH;mpjYEo!MsxDz#$c-$zwy$DO=2~ucuSahLO z;2*W*`3R>~LTOy7NIjCT08xP)wD)Tyd$;;nIyG%!<-W*Bp_o1;L#cZ`eFD^eN+YQ> zaP*}9bc15Z8X8eRGR>5}ee*J1o`kYUomNFG9ik$-FrEXHWzYcjC@Ts}KpfPa8P3uV z<|oWkF)K}0_?~sHu7L5miq>Ao{)e@-S7jE%1#p$UV$?pi%9`P{ITmSWixuKcTVJ~+ zT=6T~9tYMtI}E8XV-|6`FZ(R`G}#f5%)?@3#QqUzG!1!F$*>5kSG`mb2&)?Mv#LkX za!Nca@R>VNfkZJ%E6F+g>Gpszt1Ib|HFn`;73?7PKP<${=GDKtWz;+|$puUK!S*tw zU$B)(%CXe39X?WQ>U{GV-PyDRA}HqUD_}Z|rLM>47YKNwP6b0(zvw{=eETtf`Mopr zkLg->+Ca^d8zCT755S%cVBY|+6EdqQ37}zqc4_LWz8D4lic6`IWg&R*+y!YZ;ADl+-5(`EP&T0&fF+zF-N$5H51UE9vOn_qd{6E&0pVAL`E8(}_hA3XRMwC-vx!~raNSJet$k56U)pGi%5q*D$ zzCwYXcppc0HsMDQuZ3A1U4lSk~?kl+f@ZIMeX!H5f8t~cu7~ipWHd-;A-$70T6CBfT zMyVFUwY}l*iqgQPLt?H}0qZ}cjPBMa-H8mJj5#iq?7Czgp*{e|RcWV$Fji-a!CF}? zNd9(GvDX!2Rsp#R?+X>7%yI@-oeB*>dq&x}_!OqW+3eva`=_P8-tBxvee>6r{U5#E zu9TKV%y3Hi8+vZ~^L()5My=I!K)Pq|I@S8RZ}02zw(gW5u=|kb&-=aPm0oITY1|H* zNv0A$nN~K{szBBtUwq)0BJL+mv*qll6>-WZZz`}w&48mK%W^CrATTlw z-$3)OzNGKL|F45jm|0(0z5tSb`d*hi#7^Pe+P<3oCH8S0@o;73)}s;SyQkX%K~)lo zL3b}<6>gUP%jOlii;eRf&$ z?NQ!5*zPt+INzOmz|n}UFRiOQp*b_2xlmwl`>#Dlt7D`8#(;be*>o0-S6qkVewr>( zyzD=1sGnQOl`fkbO2fup%r9Mv7k9+{{l&9Fx+E@fH(7%1NmE&*+Db3w(QtgC#icyP zc9g+}7p&;=pNyw90)gQcxJ~DyYwA7}M1_X{mgptZ*?y-l$~Lvv;dJ4-)&9TbbNMe!`lVOy0_M7HQ-&7y3iCe=!IXQ(66}6=r@6 zjcl#Q?22Z^NJ-)+&lqa1OEkeq5PkULaTRVP-8x<2Jt zi`rcySZz~G99}(E3KLs&>^Lc=%`F%exU}xKU+}+6Lo%SWt>tZP&BVZkW1}t@i?+>! zX!joNqb1D4_U^?XAEr$gzGh_L5}Po@bnhU-jd_8St3r&8NJMB0ot4BGA5PvuE8!@_ z#LlQN~bVedx2u4}Lp%4LuYAAuNG;h@e zxIac?XCGUHmihu?EMW=_Zx@J;knSHA^1yS#R)(kNAfz2ZUg(tS2p7&;Xr|{ZSMt?E zNX6n|WC;$-yaBy&zv+OKy&ZwojW4`CubFxpdI1s6RD!agsw}EnCT2>ZBqWpBrIoS` zNqh2F9QLljHaYXbzP5W*x*>$X=WGUqZr%KB%*i*Q+`GsKP6ZrOALrY#||n$@vXyX=?J|f zg^cunK)-F_jhv6ik^j97lv_EFJCTbi_dQD)gktl$NDLh%q8x&j84%hJq!TxX)|({# ziC3CThQD*_Oo$(@#%!R(Y@U({81)^q`zkTTl<;z2k7abzJKu#HIxye4027R-zRK0{ zqsPm6af>r{KDy}42p!5allZ`ciDNpGHve>yt0P0J4nC6maKQSjFeKZL46QyB{Hz1; z1zbD}%E#5`Q#7ZqA&>~XQhwb*U#i$RUw<7i8%mUX?mk1-7k}B?#`u=6?e{yyWeD3` zXq76X6n}pR8eZXrOCQLJ6rU82t;G9mq^Ti{o5RCx9_DhNL@K#QjybRx9Gd2+D%O8BxlBU zapR&gg~dlIqZmFBGvYx;#fiz38C6T_XrCTdYvMUwK|B`SBS%!y|)0A7zUc*i6)!&Z`4aQoF z$2tU+0wF~^IIUb1RyX1nRBlktj$Vn4bBQk!Tym9;bzv*0<(6$@a@WB2_sF1@N6E0` zBMs9=i#Lk1ZjzcEf6@IE*Kf$A$~>hM)2Lr+kT$HKPSxg6qfCB4R$8l1%}c9HWj7 zJ!R%G<0DUj_)qWR*)Wepr07Qu)_ZL6?%0a~Nb~wsW>R0|Sc2Xn8gthqM`q;P>Bq0) zC#wdte8}}qISM5A1EjajoTDVn46F=fl_rOdqcQ}kvluQDr=MIcC+*z1Xt)aU99r$7 z3w`tHX@juj<1~n(*7Y97`VT}5yKHr?^$*j`g_SvXzai6?*V!i0zoae>Ujw?!Z$hO% z9Ao6f&EJSr6YHn!mshNLX)(StuYV7vm9XW}&}(waS^VU=_g%(Z^XMX2fyI9g9`+tz z<9bT`7}lD-B}^g_`(Ai8o*7RiYvXzOR?2#by*$x{9VTVeuNenfzp8{uB_UCqtx5^+>+YwCw-t$%|y_9^9%b#KCH{R?EbIMzUQx0zW29P7&lpZWBVLTUg`g zy>ze5^_0BQBvjC zz=I>yN;3yFo4V@)=1M?J*p=K}p+5sKtZ2yj{|I-Ig`FH7mLg6+* zhYS`0t8JO9iuE94tO#!k74e2R zdM2ZD!}BwrA)5Lv)tOnTQGh%Z2GTMLZck_uEgyp&4~yCtcGgO}M~`#~EWwOo>8`xV znm01D4;hti4m%KGyr|7WB?(ScFVw?+T(KN1Pk=MG?YQok<0lEVSplUIX1Ef`)*UGA zYvr?NFvcV*i245&-aoI$PQ~BE-^RvPUnUx##!g>`Uy`53UWUcr;4Fy?Z1 zx+lJAT%p|c;RXoB(E5OXj}d?uJ7C=U-|Homdb5@p-*zcg>}g7h&`7~RKvk2Kg2ht$ zTB>uV`ftUx3y(~m#y%M`9Lxm%rQ<}r(`z|}Kjwjz*N8mTnt_0PORsi;lQS<#^FLEe5zJEr}7cD1wmQr8poIwGPfqD!J_{ansA$#*M0mRUxN0N3YcR1dG@Y9tP))Oadna znI1^04KF1Hod>=v?BV4a;BhI8PZV#Rirgx9&V+fA5C9qmUJ*(C)fdY z{!9HkW_#`5o~hrh@+5d+W0=gF5vmg8p%{rIB^j`fgDA{vtMMh87cbtaVlCG1P?JhjX{(o|41@ZeKHkpb%%uc11SiBB{@?@TCm${ah;!>g31_vSg!vCpK@EueSW~qa zzsJUIVLke*YVeczB@RSFl1I_Y&s{0}n5C30v>^@EI7noTRxU(M9yP1t!OVmIOP*K{ z^|SyfVZ0;Cu*irjmQltDeXYUuG@1l=CZ0Z?&X)tDR*Sf0T(R}A{Qa?lyyt=T!7rzb zd7^a;KW+!p+U{}*C8+R0oNiQrQk74)JatYzf<%&*nm}R3w&c1znChHA^)aqtBUw;w zb>B)D)EV=(qDvzeuAkwMPx~l!OW^6*F>h^8&&4RcTzmb ztP9#aur&dL5tjCsf%j*a48|&Z28Y(|O^X(%sKKPKf7AGqWG5GWOI)O?V#0U(+H5uN zKF;z29N2;H&uQn}_cO%p$7=Q)yy(mBIqnu`(xnet8FX=PjiQHq!9G6FOW~n}`-s#3 zuN+PVyr;@975qT1N<3IV;Vu7RyZpVi_^v^DQ%v^rZGSC8eQY!n91h(hWz&D1l@3Az z>hTnZmjjq}rjq^V)3WP{D^<5MmGeUK_N>B#UkgsqVDkaGk|IL$nh}N;^jQyH8D94W z9(d2cJr`MJb=0td(zhCI+t*k>?_D5QZB2 zB~q{u6!Aa#Uvye(C2HE*ntHRVKJA|-NB#4=@pTt^tryB1Cy(o^`rn=x&sREcO@gM} z54Mk@_SPq>e!Mf^r^(u~LMnwejS z&_mj@M|bCh>&yyaC;M09i2#}djX21-a>AwWg47OyAe*bN#{XFaj)6>qoH*eugg4~} zytMuu<$^f0N8h4Z1{vyh{2NCP>e3!v0SqJog$FO|lx~9sNkG2oO8@!e{4>Yv2%1G_ z``6qNDjTE%{HFrl4`|x#pL>^K@2>ErJ9> zv1ab7o``;nAnLP+Q;Q`O9<95b9nT;UksFdt8{+FZV>!yV+mI^Uo5QA~P=vr!%lnS( zy{5oMz?sP7j>0RtbYm273xjh|`v0>{9%*HxsslqYR4V2UXA{p#x1pscN)0$aJF;9c zeFB)Se$GK`*>atH{M~yv9G;N>7MCIqe4sJUh@kO&HSD@Ke5bMW4>bPa>7r_)D$Icw zMKk)N!HhB@uyH2u9ttsuX)!00uHxGS5}FN1UOH4e~7K#{%64<*08}=MY~R@GUSLZ5TEQ#08^!`u*%HYp={; zmc-=ESYH%sj4uf|d(AD6)MzJ#zZ?D|+qJhso`9FoY;Qj`UE-)MM;-W&UDzr>KZTH3 zVDds$pv*BMqho~mykX`56NV=(YBZBF^uCVIN5_~hm`)Q5aknj(gmj6ThyOHmCxc~% z*h%JBiiwI>>pALQViq*z8oavnk+6zjuYSQWiBRS#ViB;E6+2c!AG$-iNA1e8!f7Y6 zsq10Ln9imYBNiD%GBOUHk5`ryi}v!@H(k zTts-zsC2U2U0$xAg=h~G=br^l?{^&mY%Ko2L_#df$f{6^siOBSLmmy|k&8=#-lp;+ z$1^*;Orns?7sQL$JeBHR6baH+IzoTf`kn_u5Qh9mVxoIZn1QLzx9*Kwf`58Jo8ME2 zgKn=oXDsPoeGUyGRV^=X^wH?(vU?C$z~Z(!JlgL|KY}-$$AxqF5#0$3m4QbeONaJ* zjAoI+1|CXsAM2JI-CaH2x=8|Uct<&+FS{Mt@mt-*SElXw43m-E6ut`0pHuaSLvkEkkeW1}}tdc3|L&Jymp{$6f$;x5|eACKJ- z;sIZa%b~swL`^p3cgVKq(2LgM>N5=qsyJ?0IJB25|AyuHtPYy`w)z4;f4rP0B<7c-nW%6% zt((+ts(%U+)+6#F=>cXp6~Q-|&60)zS--Ee_L|(X!zxXs53|YHSLMDk$3SJm`C{~e zLOKBM5pex7I(qLN7@ds42?Vm|F0!u9J&?lhHblZ^he(||PKoqO=sg+G++@(1dvuee z_h_>NIwzn>8twa(2u+Bcy9NAjz73RIKrExTNbN0_hDrwxZy`Vu;7?9KE|ZIF{yHKx z#=Z(Nr>AHdhq?)&^{{(iK{Shxq-Lw5Qc0XioTU^zZeUj(LnvBy3+6~`zSy+)A zz$XP(Vi1-2QiR6d()=2#r+1Y(-w@)A?5SCCxhWurQYl_O|9UvaUoVX= zt65WpQ@i?6wX8|VN2?Vu&hATBDp96BA6D@r9is7M{4`VScn^-eQ!%V;%?#ke;Ym$0am%xwFG)TPV>WcDS7X)-g0pJ*_-|XjNK3w^MQ=H|ucRs!<9{UeLs|D_bhPAFWYH z4Q&i@ebJQ(ONq*cPVp-AdDt6)3XOgIMu+ZcrZb*6bGOXyrd?wd$g^|7);THxaV_f9 z@9+7ufxo**tF51+r5@g!{Fc&uoKqkB!Q?wVk@xZd|ETx)5wMBrj{NeIeG1sDXqb!h z49qobGVFNit-bx-|MJYFRuUdO9e)->eFL%L-oz~$?6=4k3!4)34UbijwZQH!G=SRr z`rd+l?xq{XjNUxrp~GBlr|2X7Ud~`hEYl~%0uqY8s>iI>KakN0oDPXZ!!-UJhJ}<`L1V*sWd1y&Xm=%y zAH_&9doD!3!|`z25b9Y|F~u?_G{ej@5V|+EyZnk*I*dQu$nyJ4pERc`h(Ni9EZfa) zOuR}}7WR#cr`_N5ql28V*6MLodZrH9%CgMaWEIFjViU2D5`)$%lmHni)L+hF)ul8| z71iB8f2>kZKLL*!XY~I0%?e%yvhe@pfbL9l>7C8%)sc3QR*x&iULEvvq1FzVgmmpWC6pCvchl`RREKOeJ^RLxCwZ_ z${;j;2t!|l{?Tf zNS$HTP6p-cX0}PMDMPH#5RiN*rOm6qw&6cGrpWOCGYgVmyw)=eq-&tQbHSFQ3_8O3 zClI1WAjp}|sJROQ)~i#yD93E=e%cpxSV``CY=dn=$70R8Fmg`d24S@=PN1CGxh%tJ zv1{b|J^;@J+c_UA>%n121Ea$cn<1MRfDyy4fi#CWA5u>d668df1S*KE6J4C%h zok+yW2;wW3V!KS4iHN{^!&bH_^JQH=8+v0dgsv+kV%e%(BKxa=?lnyIKZhx3uaM+q zCreUpewivtv}AzlV$NH(ntS8Ug@NNg2zdWi92D5n9>W`vt-n!>>I6W*wIpDbJz>=$ zUPX~rhE&@U=L%oC*ImKpdi@Yk9axG{3agNjY7A=2eSVYns)ueLN$pYT$x>xld=8`n zgPN-H;Bx3XP6Bhyl-I-%O7?tZB^F|4B>Gb_KX33{+CNiqy)Vn4M4^gN!wb()Mke@! z8AhTEV3tzDN(N!e}GbXVH&dsP_V!}0AyN(sv%`ZIXd$B@|PU1-P;Mb&~22Ae0D z36QJp6TMP3W~-~mU}p!&PYPF#dVRB#a!D_Di}^(- zzbAT1&xco+>gS7&bNu#IsD5@hgZ%M|- zqyH=>AIVnK*ige*)aY6UGyKl|mjYPT7Nw*kP2|gPC#H;hX9mzNsWLi z`vN5FgBmKhOBN+^x>={l6@WSSOg;`I$Erv<>*98v9Zc$)Yk>>&AchjFf#NZ^HN)3U| zeMl(nN+nDoxlJZ7odgw zaAjj7PIcB+-!GB$kGZ9~0Ghd8V&pdm2bLc<{yUpp_Y9q!EH2NY&u8+_rJQ#kmz@(m zYUBRbN1II1^2^pfA=U8A8}L*Bs&$DKFW#|c<)e=lRH&Cil?(p$aV<*m7mmLIir((j zjad0IQIy6@Z4VElJXuIJeo*tXRSgyA^|uPNsg=zImlTOhxX~T@u~hL+b`;@f6?2pL zV?GVMIn_82N7OMbl>~6BIb$=KvQRIM=YnRch-4}F0bTq%VUIwZ($e7%LmWnijnCTJ zJ5wql-;9xhi>sooIImo64tWcX_{ap^3tZlTEerJ|6v?c7Jfk(y7ML{AXCBdgh2tds z$bqRfp?udDuLWr4@+cPWH4w4_*t6GNq~JabIq$ zZ4G&BPsM^-$tT$7m+NZMmTEc2vQKr6hAmTIvyOIaXuu`#i2+qON?#F%*EOzep{v27a@pD*wGyZ5`d?*5~@>%r=- zUA1eir@J?CEDQ$Vp9e$>pf{FQVKJ5d$|dj3%W1-{!D6P$X|1Em%cZEH!Sz+s&c@im z%v(*_Q9#<<&K_{?f8nym(_j^FMyoWMvpSl0Jnno>aFOdPOYUo-7mc2FZg#bJUWG+Q z3TunD4JaV6Pxb5p1{F)kP>|@#e9^v+WDJRyESlM{^5bwqpF%MsHQ$&)W1G?LXYq2| zE?YW#P)JBz02$P3er)ky<_n$@=ik2!55LcSoD>;=yg~c-sKB-CbJg|bs5S&bKyDU zzdOM6rxnDpK;zpN$RUH}5(UL%{j+FiFo=M-9{^va#quUu+e-S^rtG~~Azh?eBNXxv zUIgJ^AH>ADIo&j8pd06{6VP|BydZXtNN18Dhrp8gOeHs++YW5uh+a501WT}8VI>wZ zl4PAD2zf}LEgn0G5)M#_WYf9{McY_XCMpW25#R-0^Bo3e1WP(-ojV#1oyiC#NWLG8 zijbu=XHPo_tpUm?7{+AT7b+mY{R1JVr`-oCpjZ^rO0)}~A}=_bC=kja@6M8B0CJpe z#E__no7o#4U=N4JP>uC)%^?mhdx{ft3@|$OERWQNo@09S5A$;z6&$Eq0|!Jp1-FI) zbq|l1_Dwg(j?KWZGZ7j0J4m$V5A01t!eM_y0-f|@gGX!a6PDr9WOz^SV>2XEVI)HV z3mT;t<|K$_UoEEb*kI61E3I3C!#QDqdW{Wmv@_V%eA~_hkfwM>j=8h# zUvYzso#2=B%!ytCL?oJhsMYUIU(PQ&Y*D5M!BZrLBItMKv^q=S1p$diEZfJ*`>_{giwWgKNiCT{YuBmpGQ00ytE;HfxvTr)jTLV}wVGImoIt>RGVH{B4VE zkepH2A%CRCl6;kI^QtFFO&hF~@B2Vx9gda5ky-WIX!!_(;3(A_koU>2ujL?l<_ba0 z*#W@Ec@a+FQ#jCetUP!25ma`bfkojwpd3v_Mc6mxRav1#!h~^9g+NIA6{vbuPKT>= zGhdU!(e79o0=db4s$6TBVs&7Zi-E0>rAMTC_F{@|=j_(q2u=QENRKLOrevIlk# z@Wg)sU%EeLpfrz`u9*HbGYcIV4i)Y2_`j|#xOsVa-%$M(?9M}wI+E!-aB75L;qCEx zbx01@i<6pLa+In~UYc?GB7mPz>bRA!NQG^ARI)$%d~N6BE|?P+pls+TS(JLZbGG!; zf&+oJP3@LMsHw>=u22g}_`4(-_vVZ9Tgq4!<0wOxBWmZ8N-=8z3)&g`1l0Ck*#^R_ z+E!C1n_rOSM$(IOkQWkL?=O$!)r0~qDl)kD778uPZV^;;!@J8IPj^yUvhKqRUdO2) z-Z7TkbMXWlQ2Gg-8OHTY2aASlCz|AV#FM)coJbE9cp_1L2pw@MGZKAgDokCNki28Y zt5iC76o*ygncv0GTo(@~DhEj}5|be}dWCGK_%Pe})|-~;X*gtrix9N7=|@GnD3-@U z!a1}?LuJSwQ=+LV>b8>yV2Y#@q2IwJDLOq~DlV3kTSBVFO=i;w=?5TLh5r8PukchA zZhv1)-@>zEl-bTCfMKH!QUKUOPHTcU&^z<_D_Y}!W!mJ^c5TqGJjW?LRSXX{&A6ns z`@U>?zaV!B`3F`nyw@4L$boNZWx>FwVqCyT==JB({`Bb1((SE*famN{@s+L2mU%vlB@hySYfWiBjE0Q|FH&4-0(`*mFY2a#LUz_(Hlx^;cS; z<`^wY<+4V03_P1cW)7SG*;ph0qwRFw3z)I7^XN(ZT(+aWBc0}W7GK^j+Ny^07`(ZH zch0Tf_}H(bv8@gNw)G$RbF^iuTR#~mJvb?x)+rg$@z47~lL zZ1#Of%M_5E`AAzD*NeFn%yY)xX4DVaABELz_Z04Pj{|wJ_jk(YjXCIA{#;><(#{6{ zAls;PUP_m~1@8!T^OfoS4a>d!1hAe(Lkx+KL z0`WYZ+rN;LlpJx_Q*lGeVxx=z4>$*=vcbKTo+Rq0f(39xHf1L37^X-*DfImQ#p+p^en8qF^@q#bZ6MUe0p=oqqu}gd@A* zm5+jiF4EpX*k#nrIUo>aUPm^!?r_iGE`S#Qo6gUDmh$1m1!dQqp$WOfl$i3V1!PhG z)Hm4$!ycbgza|vPTler~hS4@9h{I+AS6{gY`d&Ti4GS6P{qdVOBwCi3Cni?G81Qxt z%gBnq_gY_4J1s5aPBfVcgztEy(U2r``L2F(<`O1Gbj(}iFL-2D*bfbqC)0=H7?CdVXu;OCZR(>PuJxe+pZx~Y zE1r)zwxm~Z&9v9rkF?Do#ri5;JKCu^Vx^$wB3fteYtbe<=$pz$oRVCm_d`nk=x$DB z5Ux?yC(ov7TDm9QeGGBpG)q$@I7(V!wf3N{fIEt%vG2IKy&)}%K7xm`bMzR}hiJDG z6{KlmypTkNpw{t;Lj3f+#->joOO?(zEo$y_xay@8l-FfKvIEh-{4 ze66jLRS(v~xf=vNS(PUlru1=`yzm+0k>t9hj25#`w`H{4X(GAy5b_t!ina#p?`iK1I&W`;^6_CaI6>;vP!58L4kfK5BYhd@t zuesOXFh$7VsLw;5{M{Mwc%=e!xLKwl3j%!Jg^^)O{(`<_&$`GhUBbmF{KAH$Q|F4c zu2l}@N`&mC`*@L2@HmnX!n-8P>WQ7`n-w=#-eGFOAW_BS#RTxw5X!8dr&;>ax9|rh zodV(p?f$i=BnGzmC_yw)xCk~@>L`9PnO?sbn-J5#%o?(24}h7ew^1Ul7om=IqFf+e zr*7B-{0%wb5QY%YgO{VAoTVE~J_c!LEa}{4EzZvCI_qAITBW%~juGJk+Ub7;$-A^e zEL<04@aJQ&%4aszzZ-y2W6Lu`sT)(yOKIAii)d4)=3UvEYr`KD1AJ49*=z2bXx4Rq zpp>q0TZN4{`Q3axtCMO!^0&d)(}@F&c*Demk5nOepLLjFUT_nboAIS^;!)P}glqG2 zvJO?`Am3$Xs|wAKqhV*~Dab*5a&{%+d{4%Q z?p8a)Gy!MXp8@^`{c)2oT2}gXEilzt-?p{60Y|kVKv+Ye{01i+@GPk9|>8V5j zs9begsTepFi4glUjOsOBZE*4iL)bPSX5fJO3E1`{os?K3DY^dGlC9O!)MMiAq97SA zw|dV>94k})!I9zK zbL9@&=Wvu8TICe!?x2ORtvL`Z77+gGt6qMs9@ZK1_!MPIb)YL8T&ywgj&!10{rh$X zsv!psK<3<L%c8(hi6Mi%%G%oH#z|K&cP}!^k6rmi0;Z3rGr(1@(?$h7_9#?N@2Po z?gSZr4usnFb(C=&9g5sctwAwemO2e5JyzsRjxc2}Yk{nv%pnhcpF~6oL6kBH_J3wx z1d$<2W&={5`Y|Gnt1i=4P$){-i{lpLp#S(STmIybgQvSq2tiQCn> z4^_LqX}z0WW2ruj>$1s)zu>|`3A_u0^1^rDn7U6l{`R3jV55E2R^^#-l;@{xF7$rcZBN^gMlWHds>?MNIJ=IelLR|7 z3z>qRANbbwx|J&gdP(f@47B}O9Z+?OaLS)-!!m-Sw3ikoh4V$pPOX-2HCsmE`bX(Q4MZU|wL8fPJj zU-G**#sZe5sjG0|>xKT-Y`ndl-3FBh=e18lC>&LQoP!iz_;x1}J^aod9LW83|26iC z3-sjMa(C3@ssC5Y?_*@6=yqW~Gfz^UT^0gzoSkrunxF6P_hP=Ji%6{AEqxXDE5vq-4aZl8&F^g*_r!lx`0soi@9^xWmTDve9bf5yBbi#U zQ2rT@A}2kn&yI2j=0)ul$-93eIn`ChhaomUhV8{J<_^1@Gq3-fjw9)glvYfp1S^LCX zSUcqYd9mhy_}HYLlDoBR+3+JBvkEmMA`!KSXm{(W6uIRkS@rs+g@W zTK)5nrspRAhRb{}`+H%4#4ETY>#q2l)0K}i*@Ks2rGy5GN+oLGVwIAUT6Yk+8|T(Iy`1Nn}Q*cHI>tzu>9ePz*!5QZiy zwq`c6?gB}PM~zv>U%i;O7A+Fw>|!_O41PYg4c6@P@^Q#4*h2%aDs;G;*2+OTmEXlF=wBls7k{KmG35$)cVv_^go@h<(~*oSA|a81lGMo`sVW#{k= zawUed0;ATF|6=9ldz9`3Pw}=tA`6k>X=~EiQf25fcH97FG9nt*j}I?ih%1@&V5A;Jwr$Z@^Ij3 z!eYC&vgizP4x2f+KvTF&I_eR!7*o-6@hjL8DW!DODV5n~ylThp+OaSu30tV4jm7*N z`8hChZYEm}WcSn!SxXvZI4$q38qpkH$sCAS>t`LP&gz9z*!%S}k}*f3$c5t2V_@=P zjDx!pn*3MU&hIGv;ACsKRD)=?*Vz3_gAbj-@-X(r@tH~W1v&tfJ24ATixrJ z$W+y%Qw?2G9@6x(r__tbse0$#s2FYb% z7b$7^c)sW{7t!HMX-=~%Cak`e8oLx}pvzYU$=`*(VMz{Yy8=1#@ujfY;WbF>i}kc7 zDPZy=P|)GEq65GB@H{i9Gp$h3%wDMH#dvD z`N{)1Dv>i?6PCviXkH=j)J!qfgn#qqQ=J8t?kK~#o^Y}@VB44W z3lh!nsp~~^aDZ*8V_5v`W076?d31Z*7)iuP^+_umE<}zV3;Ilc%=h)=4)?7~m3(02 zR2D5Q>P`6u#viIUb}cbD(-Bm>Q(2jULiMor|9(SXH`0nJYnoH6-@ui*+kq zY(1>n2fnHvzfN>oOrT&ZA(2!g@Jkiq_2Df64}D4&rK@!G8f{?^vsw)`>SEuG7Obo4 zN5^NkSAdpZ3-a7v8EF^mJTNTlCTKYE<~>eu{CiD)TI5#&H#B_Z_4Jpk>{jGEYFham zHukf08M0+1;FNJL@-VvLJC-51-u!Lq>1jXPrc#uT8YJ?^Ht$Pnp!tZ{a;pjMhajce zcAJDdmh{NS)H>r<0rE&T)O=?XyveUQX#YT;Q2Bex$U|M>&4MOv71sESOS22Wq-(s^ zFK@bBFgYddyL%{pd@n4W;7G6E`y*qeLdj%yIZ>*yZdgiTFNg2$HtwScrPX1m2?e^G z5LS@$I#!T#vFRFe(TC4+T?$spr3SQ(JNj1rCS8*gof68953IYi3nei4 zI3!?0Lb;|OYFtjQx7?Q;u=GW_AcY3$oa;-+ZuV2=yrwgyZ}M8WHK7w_ZYTR>TRh(u zC6_)C7I0$3Zy-20Piv~4-I|*tmbwGk<{XT>CTxwPp0NB5q*1aF zC6w*Viusz&+TqGHezX8v(E9M1Igm^*$`V`Vge|ze_$92slJ{ z@wpo!Xc{?BSIaa7^21GqV&&m6eE3UN826$od`05lWup3U%@DGo!&Qvs{T{6vo3DVy@D+c}x<_+a7IbQp8iX8gJ%JTG0S`yxOa!v!dGaBQ@4 zIS0eX|PQ>&snl#0NfQFc2 zNkMfDdunBL9ze+8D!7wKCdOYq*)OJ1mDhi&-oo&%Z&YpNGCZ=rfuJI2_YtW+0AB*C z41SPUut*yS$oes4jzVuQZRxZd?e|EV@4ppl$=}@U@13F6o(qoFYpgMC1v?b1!j{r)`x(g^ zQIPkAL1VWlqQLn@@l3o#wBJ@JB#QPC+Qssl*X72<|KPR!MqDC?Oc*6YBB4J@J#a}JQxH9fEr=`*?2?^yq0jWv zvD%x`s!=KvuMU+z6*m8fnjH0fVyQP&#xJRFb3H!PM~ca!i0V$ZXvRqa@ugvZg0)PLaAI(F zqpZ{!+UVSnNM!U9ky=$M-SlFt2%c07HKSmAlccaALHzxb!395+7L-%{Whwn2p^Si` zI06t!PybV?Dh6L8wH70Q$sf7_(nZDnrZ1T4q%RVr`dO&7syfEPwzU~(_VkIXm8K88 zW+EnZO?UyZxTk$EEtn_bD|rgXLZf;mLh4?o{0>>O?-5u@tIXMiRNC&0&2i~6$^0pI zm9|M()p$h{{)2z*CA;mxM_J?#qfR7q*#CFEYGuh@w0Ze^j*@FdgOEjK2xkH%io9Yd z09p@)C4>}CGO1{46OcUD$%t#a1o<3LjL^x?B0b^z)i({}kxtY=#MN)$;JVo4OWl%| zaCYxTz3@XDo;?c!xQ}ic(JLlK=4t?L}XvGs43*YD2XZ#cT!c2AlC(C$9NWp7E2QNG8rd!j~c%cXnnf>Bb6d!8UoB z6LV@pLYcw~e^gF~McI(JRP_Y>Tm4sg$M>nSW4DMG&F%=GG3DRV{bJZB=Dp_IFf>jb zd6-$YaQ#}IhqpRDi`%ZVm+sv=sms??^2c<@_}u)BZ!xpgUofa*=ZG$p+PdF2{e9oH zSwCN`JHp_swv8nRV$jyl8IF1{!$X~!Kpwe^iL28V4em$$5OX|0xggtN(9#7~iM8%j^Uy(Irrt3VhiOn&ady z0p+tGe}npU!H@ba*1wX9m-xw&EjB%^5;c8jb)m^km7crNN%ib@H9Lh->zOy#%k${A zaK!7_lS#LuWb26c-tErcSoY+^pMOg1k6^2A@tN>CHaEtZt+y2X{(ZMwzmB>$a!;qZ;i z$fZU4$mkQ;Tgfxl4RvvY?9=*3 z&SK90r#Juf-6Q36NVJ2;|GP4Mh|h_c{sH=oy2P^nM8^#KbYo3?E))8(t$(`KCKNUp z9(JCxBS|62VF;djB0vq(SrlQZtWh?@!e5d0YJezw7KyA(6MFjXN(IAQxFsKDfn?r-M^lLg3m04`cI8e@Afa&X~Cxe z06+d$VZeThgS5hbWkY4be~{S<;0xA*Kj+7^`j7peF(u7^F9W`yGQxjo*-!qoaa1T25YA>P6e(T!BICoVX*skq>V$$j{_xNoOqZ) zf;4~z#;1BG+uauq$o+nYk+d|-s_|`BYh#S=g2HAOO1Msoo((%yred;WfIXr$W_Dss zu^fz8sHr*3dJFs6(I`W7(`XmDcW?NV63zrFbbp~pd~4$WP(0C)>*vXTD&it0O&mB4 z%GC=>c&ZZxpDhm5U*@9!bpzmKONft8(0^V?@Z=#e@wM!IPO9rerpNQ;li!s^=FnZi zR*E*e#_2RKk#Bops6V-YCC2L?LjNtOs^SzbPA?Arq9jcFC~_&dD(|t%5(Bligr(&0 z<^Y#i5czq+IQ$0^2;(yEol+X`GQW#@OR>A_--g+;&6S!B=bX$f)#^t=swP~Wk-2hB zgNlMaz{e7Uk*ClOvz18-#*ZfS&ozSIjoE2j0M;9tZ;LGM%^|bqU5H`eNg6G}V(D#& zB;%fl_R|LPLq)`S#JPDn78N{dhvzrLi3N8=P^`Ozr#lr@o{@!7A&U8e0qf5{Ty7L3 z6BM5At&Je)w|D2th9%&JoKdVonen;FOVoO?;QU@vNrlbQYD=(kG_L}_5GyckDU>>H z=H>R_8sr^KfMiWT(K9NI_XI_~`32r>_{t}yH0cn7w@8J8J}Fz@Rh5sgZ{KXb5D=Em ztHJSS!kN{98IXqX5VP~q^Qg{lG5@%?!Vy(zhwnseXP0khANgK#->fOy>v~OZ1;Y3H z>)&WZvkJGTdc9_7=BO|)i+v0NPTUx}WFA-{_irNro&3YimWH6WDXwxPqKr>1w_Fm| zYH+1pl&IkPa%p=r*jND)w2BMP;?csy;(0)#xNQVzucgYTr+P%lcYK6UIPVEd2z(M8 zq~A~|@_yow$HWIfH9jVAA zZRhI=@N{m@esWdc_2MA-t_t$tB+Sz{=&X|V|}J#waeBL4FXUxR3huoG>? zhf6TpZK4*=R46H~u(^nN44R~uLV;R8CD*4S3Nci-Re@TY*M$DOu<&TKZ%eKH2e09| zC6oXMQ+vads;0&?pni8mxmtjgCK`A|%rZsg$r;PW1D|-&^{0M3?>nyR<#CO+R*R0% z1tm>t05|nyM3BwZIn$tKy9F1;{HvKKY0-JoijvYv^hU+?kta>(7^qzrLXF4J15xS7 zeIq=sVcc9yq@>pUd!H>KBR*Z0KvhSQsz;>RTLfQV<%=FDAy_Xp^Bei9V;jrxY(DSCX9 z9%xS$yQ0rbQ*2oYW#qX6*k44%i2*+ssrepp)ftnN<{#M<#+XcVBW-+cTK^YZL^9Mn zbDIT1aAVy!?#V5p1L4_4f;0YEw$ti684lfd#6MdIfqwpiUG0Ltua`bAFBemq2e5t; zvsbK`<=XqTVTz_VSxjDe4W}* zXwh!qo5R5B75tRYoP<$?EFln7;on)+7J*12;Z1F8K71m?@?DdIgs4wN$SHh8K<~*N zVESP3TJc?B?v0RUIlm#(0v$Kbo!#^K!*0>{Lc_d7HN_5ZUNW#Wi?mGC^}BKL5?##f z?YnH0tkGiYZ2X;P8es~L3XuH4V~=$*D7c{pVhT`M{57q@DOd51{T$u0`!=WSP203i zLUs2pG(7xFc!M{}n8irjMeA8%6PaE>gb20m)0lf{2J_oG#e7MY;Q1<}&@aEQU;T0eflu-HJx8A=bCK*w@UT=mH+z`Iy zcZP5ED?Vxn(fL`^9#3N(^rw$yiZ(<${K#WE3@EsWljXuae}$M`yiw6*F6lc-MumWh6T|Y_qe0U2Sc_>9G{yvBmvTL3rkArWMP?CNZ+7OQF@SHjiTEIt zKCO6%FB(BuP!C6WjY5j|^5?l(u;C0IktIR9vN&OzSeA|;vwj!C)iGkaH}O9@EHSYi zdKuRe4j$dD%~B_qJ@i7g-R@u)l&`a3+{V0Ky=ERAg|2>VrbGWcYUhH-x2_=Z=JmP- zkBgd~KTChuPGr4-P@AlC!xF93SvB9%Zf$0LIgG*l0x?K4pHR-cvA{bZGLdvpuFsyC ztU#(8@aVwruD)(O11_UBy>OYj`Wz{pAlW>pe>#vNqO6)MYxmbTM|ogNsj%6g!?D30o=|Lku6VB?9wpO*L9KIs}2aH(u9_i=wD z)CAaGmO8rQy@ezW;!Z7S*^jHHX05ob`1u-W|E)&}v?atVK=&8Ktl(P%0-;UiE`nSH zGP$5S(p`I|^Sd4BnJ55hh*ShZd?Y^QO?dT$ zfO_5Xy?JXj11Y`^`&)u~2Ih*jM=6#B7rQKI=ZpIvC<)yp9xu(-tu4ov9CWiSD?urD zJ1Ym?)c42+5yqgU8=0%(VvrPbfL%hUi(d0@(+LyZu-zZ0ND!OLSQs(Va9uT`gY(vO}yWI7bLn@a7aPz$$+ z*h1W|k3aB<8bSQIUk!RmBfJCSs{X1g_~Q6ddo9=1#ARgZctgdT4PiGc(A&^RDXW*~ z2Sq~D%fH@V3^A1I`UO5|b7BCR_NV3ck>=4<@27mQBe5dlaj_rlFlmt_LB3tcasd4<0`r$O6S75 zV_l&q(C-dgq|mT`kB&5*;ez@rM6Vo?lXoY34-iZfoPyVY2_*(5W0oU?*ch+7JM4$$-`sPGvHxGQWvGuP4r=yuRY!^I)`?3E=ZD&>0RYjb? z{H&42P*x^wo<@9rcU8Ikl&~aTCrwJLOm}U0KwvotmPw@s?KC5azRybGHp4?p30G=m zBABrq4l31yf1br?r{1k&i(x1@QOo=_upj*eGHlPEf`+a;QTK zy>WYphq*pKnl$S4bW3_=N>z?b-|QF(TiJxzSbSLCtqv<#Y|tO0x{IJCn@Wrql3uAM zXR9Kg*-3_i&B-zXOSRj*FWTNq2i^NLpu?K5RK1+n+2j`y-;|=R@QH<|a2I91DQ5IM zn*uf{(@SwmcAMfO6^XIeIb&EYX;g^ z?EvxXIHiz)aZK7RV)|c!cgaE!iSalb*RSJc?#=Iq2OdY%hiKIV9w5hXx(XK9!I_^4 zvhm2I%i!+4x@c7kj|vk>$kznZT8$@PE~5F+tc9`F^$mrwN0pFc4%n}iKh~TugBrhm zc~U!!{=u@ngG5FY5>?1+66FP>bV#0l4Z;ngkAgU$hW@g@y`;_Y`L#JETLzJ1MyDS2 zgpB}_uiEVr4935+7A0S@ch1cisu&ML@ns5o(gXq1SZ++pmt{(r29HL&iY3P0> zZ|KT^0r z7X8C3w$2EIt_U6sJYJY7J3xu4ZJ=zGo7<-+@4r4A&E?Z8&kKY5Z}L9^xifQm+Wx@y zbvVDi*uUC&F|s3XAu}5w2l_Dv_IUexFs0r4xxITN4^!DT3G``5pg4r12Yoc7dIUVc z+o!(ztHQawiO@dg*_&4-|M0{2Go%m@N?n0dVjN7a^U?EpA)mAewKWXp;Ha#!;p5u0 zF0pCiYRsi*ATrf%IlIANEtPcn;jl7M{jHO{V{XNV)hIf|siPe=Wh3*gvrR3@&=+$= Z;L>?2aQ6-b@%bwRh)|+^2tWf4_5-;r^iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH<$Z`-)C`&qwYZhL`k7nN)$anfVlUcj4p&j~h70>>@Rq9_tt z8ry6nQir6RdYjzeenC<%%kryDlP)&=5KDXvhcm%er!A#q&1w!B?$#|cpSg2u|^b>UwaM&N4^fe{yw%MWDo z<1i9o2Nng(QL`93K;k&0KGE=;Y1WtR>amIOH%vA2e@emxynQM2(IJjRQZ#ofTSs22jncBpG(2ydUiRW{*d_Rf`6`~kt>G8cVk^T2chY; z+FsLfY7tqg>r>F@Nf@5zD&PH^sfdx1sNvIA7us^f5#t(L2qubuHI*okwFpL>L*P zTUyV40FJCe>Tk=U!qE7UcvO$oV=xIGTZ#UK)5h!nSFHP4TC@JQ4;I${*3Rzk)B67q z>FagdJuLi=NJ2E4B2!#uC+WhoXJ+#$c_MsF^B50MIsj7?!!&D*%KY9CyMJ;aq|#=^ zCTk)@0}L^JOyWT2E}%nV z1E+#eVD|D6W(WiXBhIA7u{y+W=sbw1)KVjGOr;W)6{dnzlqjMo8{gn?!uhqOLt-0k zOp65^hAG!et@BnD1U~VhTm-OcjjRCB(kk<(bmdLCTFCQ4MyX;QmUg%ccx9Tnm_(k> zqeZ0hVoT8Fy_6W5(YG>DO1v&6)V(3rkcy~e38$+F0MyAk#m@?vmN>bTNq!;~kFv}F zN0iYT5lad4ZI<2lu)4QWhpE;o^rBmsN}H*hcu{NKRE6OywT?jJcgB4n?yemRLwRP&zOhQrzyGe+zFSeR8oW8a-8P$72~X*_WZ7YlEP?^n9Aa*@ylWt zk1Cl<%=)hq&1Dj}S~dNcy#EgB^s8|$^yw1Rw^F!^i20n0fU?y~qS=RSK0!+KD^aGv zW!WlUCtx^DHBCK#me_uJ1|d`F+2hi2DSnMi;FRLcl7*uV@Ol#>-53+!M=4jsuU8xq zDnb24io>_;e^>7R3bp=Cr-5tsf4c{JdzJm4etg>hJwz(6GkR?=mXxEM`CqxBZ0KPF z2+0t`>KUR-;&{V;WQ=~toVA4L=O<*5)&eIb&|e1}Ae#><*b*&t3g>$G+CBiXLFlB{ zU_u#+9Im?^-EBfPE%3@9{QmCOUbp}DtbciS-s^Vdjew) zcXwaDER@*8Xs>eaYP0X|I-9ppWPEq`Y*X~_9q(;0-V)c#2u2i?6X5OX_qw-CNm0G+~yHMzI?i}TG^YviW`oGft zyC$yP!hPFiuyyypTFsrx{jY=l=9B&RAnD5&7w9M#qT)K37M!wiSnvBQ%*Ef6A$E)V zJkGqGL>S}B`g;ot;@Jel$di-Cg!AiX9f-M9E@e`YFnncRl6WjgVC{&ip+(}@;360* zG~STPWh5)QE9#rBn7`P@l_ZKoT+uWpLb-fYYFW8`RoBRRSORxA)9s|<5&d&jCw4!W z)vxQPdi^TB;*^)Iv%L$WQ_F$ke~>6#R4A6Ca0`sG0GWclyE{iWKo;EHJ+=ftrEf_q z_5b{d)>khAYw!OzTh;yl!T!#Z{(p!xcmF@r<&_&7-*x-{*aY~Sr<(ci>1COY85ejz zeXN`R?cIg=pPik9r}_U7={cMerBE;lii71k+)R+cFri^U*%)HtUz?4N^Be{fDnTZ3 z%!QI5Cm4n>4*Ae}+bA2q0)Zh>bczrYH7Vs27C6s=;n%MoUoSm4 zW8n-qGc7er5Tk&QGV~np=;HE1ae>ZrIOI{p8N5HdfPf0=cw?#>=C4KH@rHkjhWVRi zOvVlUCwrAs)+hiCiGQ8MFrpz!=NC`j#Lh3?kX$>zcq-D*T+p%e%l|pg;XM(QClZd2 zdeZS?!9Ss|9FGP_8n(LNpB!&0eI8)rub|s%=6}D}J$l>oqTs&zSUvw+?cIZl|G%}j zyZ?0m>p{|UIJO(EVgr{gHi6WfwM1VlO9Wkl{*^~;-%*m7ETwPraiJUlkT{7^11VJhCaH3Q!JB>!M zGaXYkNrq+*rIC=Ors*Y%12D2F9 z7LM%R(>&!7qj2lox;ojv+0WdQd2?S~HcmyR?T+C`as^j#nb?8BeITm)r%HT9RnD>)8J zP|KlLaBFdmZLLu$bT{o{4t&1(=jQktZnG(Dwu2vElwMwz(ayrHVE(qB0bcSl-NKOb z5N>T?6x>2LQ9NZ{37D}FmO^v}CEf!=3?vY^s<@=CvLR3gTm&dI+pLrqXZ6;6!9bVg z?LFvLItMBtPU%URowrvdQe45!g!&Wk34n2#`ULh z%5^2G5-r~-k>C}KLNc~(C#60bnG*1M6cHA9aIDNAxRi7lq8_hSzjQRK^o3JoKt>8h z3Ach?6EZ~@BC@O}3}86ZmKpjgoB;+@Wot$1(5m6gVc&C{UuU@z(X|cw0Y?dpt5hVU zDanXZ;Bz=H5-%zpz+wNTHb8+h9}7fZ%_$AIAyi2-A#`>k=OkpgJb79vRy(w`%;Ma& z?$ly&j~>-0cjz*A=!bNQ>bH+oSLlcQIV~?-pwDx;(mNUw8h>;mEJ|x*Q*VbM_phNQ zJ%^*-Z{2q%19MdaVQ~^&EgnVpgi;1fS z8&~~t5n>h!TOUF@2a=e~I-u(T+PK>}a1lzWcdi=&1g9be(>zdkUL%&NT@EJxU{ote zjET^KnuizP>aFE%8e{x%uIFk1a*9Hs*zAg|Raa@zu0+k71JCOD=Lhranh1VH#vfM+ zRFz{j=1)f|P3q-mnzp|(mUUg0d+CNZWF~8d%&6LE+>ELR8N2!PzylJ%O6mp_FqaS> zh6LqrCv>cl`VgcjZX<6(kK#JR!w{vw?z@wu@`Z*q)W|PK+&>-0zWEM_?!|Zr(GsMD zTPOQu#QhT^--4phhAJI_Hkq}xRv4s2ASAINjYt@yZ0sD5fWVZ5G^p6NRNMPL(&?ft zNW(DOhJ4~f;~h0#3KMRj-^OUo)RM0PC>wDRS=br@H9-ba5uq}pQ=7tN@s487^akE@ zoHK2k2ArWqWyHgf-{|_QHzyWV{7j|UiWnr*oBJI@u>Uq9;j7S~tO+*1(+}tGEIOy% zx4m@|k)?jGd-MkYTnxH{cNbaS#h}|C=(p}adrr)Qnq9QJzdss|M(uX{AMSsK2f@TN zZ8cgJgk_w0ZWg_@T2Td@RZH#mK``?D_QBBgU#oUIufH1HPSoC&6@aDihlAG#|2Sy3 zhway{+MB+Pbc@E$wgBzNUEFXS4g>ekf9#BhW%@N!3=g@sur+Jv0PeP`;D+(Y4Y+@e z!VUKJ+bvhL*};D{9Pn;aI$N<900w`Y=hY8S-dzlOefRj>zW4q;==D##CpP2!tUq{h z@zRuN#;2#p^~6mtv%6^}4cyAC0o7`Hd%NDwUdwyEr@{RX;|%{dL*w<{-fm-XcwUfv zp{vzns_Ck=@3q?d3tjE*9PA&Yec7(IqTf;P;<(>C(p|pm_j{*<(v*33?hek}qwYXM z>%Q+EpLBmc(a)!6M?JXco%9X|XZwJuO7~-V zW2i=NW+-3HWun%Yg<-NRzIJG+aiy z(n?c7t48!%(F%yw#b!C2;>iwtIn3JiW+RxJ5cBZt?fFS>aC~;ESL361{jPpaN%x5l zJrhH{WVI^s)uvrppwfzRW9%Kve3#m6DNc{_{LKA#HfLOsP;yAvqTkcF%ym{_Zy671 zUiTGzN~F@(U8iz5RDfG^LSvAB?6bEYA=RA!`XZ2xdgtV2HL`o7J7H_ie|K8#%KhJ+ zy@TE6)A{d1q=jJPx={O4oU!rKX2FR^d5Ha-b9&*jZ%N6Gk$I)PqXC}ZKWln><~xkW z(@QxU&QQQHRgyG`%1~VyK@?nC^w>!4qL|Xd!0^<`-P*xJj9L1$hzmp?{_cevH|8k z4O~3|q4uoCw#iRbDzzkZ&yRC>v2o`sin1JLR+7%S;Ip~jf7S@vT428XfVTUTj2NV2 zvM0r6-=Ch}6+Yb}@evS~9q*XykSHX`2~R@fLYSht+2HdrqkrbGjaxu>T5$&1WZ1?? zXhUVpeJF^?3 ze(z$C`!ozQs?@i~w0T2Wus{=xvJnc)L}MygCrl7?%B)Am4=J)L`DHSUsM37@Pl8fu zUU_h6R22*{y%rL9aLnM4L>L|tiQk<8n$ptMgx!n<)!@@|WlObEK{=wdhF_JLcoCyN zH**4%RA|{&M41Z~bxJWy^)nY%ADmTc0w7DG#oY2C*L=P?)mq43LOZBGbbB-;DhG9s zhDYfLYn#?JXL(DS4>=E!R8{Q4;o?`fHV1!OwO-{SFQ`+RE2hrE46$D9xs(2?DqA%( zAa}^u6s)8@)Hu~^VWceXWd8HII`wh}My6IYbLYS3TwmoBi%)HDF}fuR4K_OKDaQW9 zz#o}`Pi*^ZvTgCyy%_Zq>waX`)m;}ThW*65ACPyIe;=@gm9uP9V4MJ3Yzs{NIXU1% za}DI1cLwS0tgWn0Q4^l!(#lOyx3F+G~fKx+8L zN7+d_97i!1iZIoIe!}2cM6U6f-tP+>BSWDn;qw5~o3arP=xA0i%68{UL;QL3k=Jr_ zA=3^g{YNgA+gz9%A4N_wock^r6fyx{?wmqAi0@;pFgUIH#-7;^TV&2I^XhYE{Zq07 qA3i#^V+`JBJ}jO2*q+X(^pu{`Q+i6}^#1_>0RR8b+wYSAasU996L~@a literal 0 HcmV?d00001 diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index 997f2376b7..a1d7009ba1 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -24,20 +23,27 @@ spec: description: KubeArmorConfig is the Schema for the KubeArmorConfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + alertThrottling: + type: boolean defaultCapabilitiesPosture: enum: - audit @@ -62,7 +68,8 @@ spec: enableStdOutMsgs: type: boolean kubeRbacProxyImage: - description: ImageSpec defines the image specifications + description: 'Deprecated: This type would be removed in one of the + upcoming releases.' properties: image: type: string @@ -126,12 +133,10 @@ spec: - Never type: string type: object - seccompEnabled: - type: boolean - alertThrottling: - type: boolean maxAlertPerSec: type: integer + seccompEnabled: + type: boolean throttleSec: type: integer tls: @@ -155,9 +160,9 @@ spec: message: type: string phase: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file type: string type: object type: object @@ -165,12 +170,6 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] --- apiVersion: v1 kind: ServiceAccount @@ -290,6 +289,14 @@ rules: - list - watch - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch - apiGroups: - security.kubearmor.com resources: @@ -388,6 +395,10 @@ rules: - cronjobs verbs: - get + - patch + - list + - watch + - update - apiGroups: - security.kubearmor.com resources: diff --git a/pkg/KubeArmorController/Dockerfile b/pkg/KubeArmorController/Dockerfile index 51a545cebc..3b37ea84be 100644 --- a/pkg/KubeArmorController/Dockerfile +++ b/pkg/KubeArmorController/Dockerfile @@ -13,16 +13,16 @@ COPY go.sum go.sum RUN go mod download # Copy the go source -COPY main.go main.go +COPY cmd/main.go cmd/main.go COPY api/ api/ -COPY controllers/ controllers/ +COPY internal/ internal/ COPY handlers/ handlers/ COPY informer/ informer/ COPY types/ types/ COPY common/ common/ # Build -RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager main.go +RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager cmd/main.go FROM redhat/ubi9-minimal as controller diff --git a/pkg/KubeArmorController/Makefile b/pkg/KubeArmorController/Makefile index e7c5638589..e230f0446b 100644 --- a/pkg/KubeArmorController/Makefile +++ b/pkg/KubeArmorController/Makefile @@ -83,11 +83,11 @@ test: manifests generate fmt vet ## Run tests. .PHONY: build build: generate fmt vet ## Build manager binary. - go build -o bin/manager main.go + go build -o bin/manager cmd/main.go .PHONY: run run: manifests generate fmt vet ## Run a controller from your host. - go run ./main.go + go run ./cmd/main.go .PHONY: docker-build docker-build: build ## Build docker image with the manager. diff --git a/pkg/KubeArmorController/PROJECT b/pkg/KubeArmorController/PROJECT index 6c6034c670..43c10a5cfb 100644 --- a/pkg/KubeArmorController/PROJECT +++ b/pkg/KubeArmorController/PROJECT @@ -1,6 +1,10 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html domain: kubearmor.com layout: -- go.kubebuilder.io/v3 +- go.kubebuilder.io/v4 projectName: kubearmorcontroller repo: github.com/kubearmor/KubeArmor/pkg/KubeArmorController resources: diff --git a/pkg/KubeArmorController/main.go b/pkg/KubeArmorController/cmd/main.go similarity index 57% rename from pkg/KubeArmorController/main.go rename to pkg/KubeArmorController/cmd/main.go index 39b65a7762..3083fc0d2d 100644 --- a/pkg/KubeArmorController/main.go +++ b/pkg/KubeArmorController/cmd/main.go @@ -1,9 +1,23 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2022 Authors of KubeArmor +/* +Copyright 2024. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ package main import ( + "crypto/tls" "flag" "os" @@ -18,14 +32,16 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" "sigs.k8s.io/controller-runtime/pkg/webhook/admission" securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" - "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/controllers" "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/handlers" "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/informer" - //+kubebuilder:scaffold:imports + controllers "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/internal/controller" + // +kubebuilder:scaffold:imports ) var ( @@ -37,18 +53,26 @@ func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) utilruntime.Must(securityv1.AddToScheme(scheme)) - //+kubebuilder:scaffold:scheme + // +kubebuilder:scaffold:scheme } func main() { var metricsAddr string var enableLeaderElection bool var probeAddr string - flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") + var secureMetrics bool + var enableHTTP2 bool + var tlsOpts []func(*tls.Config) + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") opts := zap.Options{ Development: true, } @@ -57,13 +81,54 @@ func main() { ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, - MetricsBindAddress: metricsAddr, - Port: 9443, + Metrics: metricsServerOptions, + WebhookServer: webhookServer, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, - LeaderElectionID: "5c4b1500.kubearmor.com", + LeaderElectionID: "191ee55f.kubearmor.com", // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -81,31 +146,18 @@ func main() { os.Exit(1) } - if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { - setupLog.Error(err, "unable to set up health check") - os.Exit(1) - } - if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { - setupLog.Error(err, "unable to set up ready check") - os.Exit(1) - } - - setupLog.Info("Adding KubeArmor Host policy controller") - if err = (&controllers.KubeArmorHostPolicyReconciler{ + if err = (&controllers.KubeArmorPolicyReconciler{ Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("KubeArmorHostPolicy"), Scheme: mgr.GetScheme(), }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "KubeArmorHostPolicy") + setupLog.Error(err, "unable to create controller", "controller", "KubeArmorPolicy") + os.Exit(1) } - - setupLog.Info("Adding KubeArmor policy controller") - if err = (&controllers.KubeArmorPolicyReconciler{ + if err = (&controllers.KubeArmorHostPolicyReconciler{ Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("KubeArmorPolicy"), Scheme: mgr.GetScheme(), }).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "KubeArmorPolicy") + setupLog.Error(err, "unable to create controller", "controller", "KubeArmorHostPolicy") os.Exit(1) } @@ -140,7 +192,16 @@ func main() { setupLog.Error(err, "unable to create controller", "controller", "Pod") os.Exit(1) } - //+kubebuilder:scaffold:builder + // +kubebuilder:scaffold:builder + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + os.Exit(1) + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") + os.Exit(1) + } setupLog.Info("starting manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { diff --git a/pkg/KubeArmorController/config/certmanager/certificate.yaml b/pkg/KubeArmorController/config/certmanager/certificate.yaml deleted file mode 100644 index 98c3b3d9c1..0000000000 --- a/pkg/KubeArmorController/config/certmanager/certificate.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: serving-cert - namespace: system -spec: - dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - secretName: webhook-server-cert \ No newline at end of file diff --git a/pkg/KubeArmorController/config/certmanager/kustomization.yaml b/pkg/KubeArmorController/config/certmanager/kustomization.yaml deleted file mode 100644 index 03e11cdf9d..0000000000 --- a/pkg/KubeArmorController/config/certmanager/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- certificate.yaml - -configurations: -- kustomizeconfig.yaml \ No newline at end of file diff --git a/pkg/KubeArmorController/config/certmanager/kustomizeconfig.yaml b/pkg/KubeArmorController/config/certmanager/kustomizeconfig.yaml deleted file mode 100644 index 48adbafc2c..0000000000 --- a/pkg/KubeArmorController/config/certmanager/kustomizeconfig.yaml +++ /dev/null @@ -1,15 +0,0 @@ -nameReference: -- kind: Issuer - group: cert-manager.io - fieldSpecs: - - kind: Certificate - group: cert-manager.io - path: spec/issuerRef/name - -varReference: -- kind: Certificate - group: cert-manager.io - path: spec/commonName -- kind: Certificate - group: cert-manager.io - path: spec/dnsNames \ No newline at end of file diff --git a/pkg/KubeArmorController/config/default/kustomization.yaml b/pkg/KubeArmorController/config/default/kustomization.yaml index 2da9eeb29b..623e7f0b28 100644 --- a/pkg/KubeArmorController/config/default/kustomization.yaml +++ b/pkg/KubeArmorController/config/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: kubearmor namePrefix: kubearmor- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager @@ -20,55 +22,158 @@ bases: # crd/kustomization.yaml - ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -- ../certmanager +#- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus +# [METRICS] Expose the controller manager metrics service. +- metrics_service.yaml +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will +# be able to communicate with the Webhook Server. +#- ../network-policy -patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml - -# Mount the controller config file for loading manager configurations -# through a ComponentConfig type -#- manager_config_patch.yaml +# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager +patches: +# [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. +# More info: https://book.kubebuilder.io/reference/metrics +- path: manager_metrics_patch.yaml + target: + kind: Deployment # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -- webhookcainjection_patch.yaml +- path: manager_webhook_patch.yaml + target: + kind: Deployment -# the following config is for teaching kustomize how to do var substitution -vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +# Uncomment the following replacements to add the cert-manager CA injection annotations +#replacements: +# - source: # Uncomment the following block if you have any webhook +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name # Name of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace # Namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# +# - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # Namespace of the certificate CR +# targets: +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # This name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true diff --git a/pkg/KubeArmorController/config/default/manager_auth_proxy_patch.yaml b/pkg/KubeArmorController/config/default/manager_auth_proxy_patch.yaml deleted file mode 100644 index 28a6ef7c79..0000000000 --- a/pkg/KubeArmorController/config/default/manager_auth_proxy_patch.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: kube-rbac-proxy - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.0 - args: - - "--secure-listen-address=0.0.0.0:8443" - - "--upstream=http://127.0.0.1:8080/" - - "--logtostderr=true" - - "--v=0" - ports: - - containerPort: 8443 - protocol: TCP - name: https - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 5m - memory: 64Mi - - name: manager - args: - - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=127.0.0.1:8080" - - "--leader-elect" diff --git a/pkg/KubeArmorController/config/default/manager_config_patch.yaml b/pkg/KubeArmorController/config/default/manager_config_patch.yaml deleted file mode 100644 index 6c400155cf..0000000000 --- a/pkg/KubeArmorController/config/default/manager_config_patch.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/pkg/KubeArmorController/config/default/manager_metrics_patch.yaml b/pkg/KubeArmorController/config/default/manager_metrics_patch.yaml new file mode 100644 index 0000000000..2aaef6536f --- /dev/null +++ b/pkg/KubeArmorController/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint using HTTPS +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8443 diff --git a/pkg/KubeArmorController/config/rbac/auth_proxy_service.yaml b/pkg/KubeArmorController/config/default/metrics_service.yaml similarity index 92% rename from pkg/KubeArmorController/config/rbac/auth_proxy_service.yaml rename to pkg/KubeArmorController/config/default/metrics_service.yaml index 71f1797279..ef41474248 100644 --- a/pkg/KubeArmorController/config/rbac/auth_proxy_service.yaml +++ b/pkg/KubeArmorController/config/default/metrics_service.yaml @@ -10,6 +10,6 @@ spec: - name: https port: 8443 protocol: TCP - targetPort: https + targetPort: 8443 selector: control-plane: controller-manager diff --git a/pkg/KubeArmorController/config/default/webhookcainjection_patch.yaml b/pkg/KubeArmorController/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index 674e7388fb..0000000000 --- a/pkg/KubeArmorController/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: mutating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) \ No newline at end of file diff --git a/pkg/KubeArmorController/config/manager/controller_manager_config.yaml b/pkg/KubeArmorController/config/manager/controller_manager_config.yaml deleted file mode 100644 index a5e6824c45..0000000000 --- a/pkg/KubeArmorController/config/manager/controller_manager_config.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 -kind: ControllerManagerConfig -health: - healthProbeBindAddress: :8081 -metrics: - bindAddress: 127.0.0.1:8080 -webhook: - port: 9443 -leaderElection: - leaderElect: true - resourceName: 5c4b1500.kubearmor.com -# leaderElectionReleaseOnCancel defines if the leader should step down volume -# when the Manager ends. This requires the binary to immediately end when the -# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly -# speeds up voluntary leader transitions as the new leader don't have to wait -# LeaseDuration time first. -# In the default scaffold provided, the program ends immediately after -# the manager stops, so would be fine to enable this option. However, -# if you are doing or is intended to do any operation such as perform cleanups -# after the manager stops then its usage might be unsafe. -# leaderElectionReleaseOnCancel: true diff --git a/pkg/KubeArmorController/config/manager/kustomization.yaml b/pkg/KubeArmorController/config/manager/kustomization.yaml index 57c03c8078..5c5f0b84cb 100644 --- a/pkg/KubeArmorController/config/manager/kustomization.yaml +++ b/pkg/KubeArmorController/config/manager/kustomization.yaml @@ -1,16 +1,2 @@ resources: - manager.yaml - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- files: - - controller_manager_config.yaml - name: manager-config -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: controller - newName: kubearmor/kubearmor-controller - newTag: latest diff --git a/pkg/KubeArmorController/config/manager/manager.yaml b/pkg/KubeArmorController/config/manager/manager.yaml index 8bfc3acb4f..3b62a69ea4 100644 --- a/pkg/KubeArmorController/config/manager/manager.yaml +++ b/pkg/KubeArmorController/config/manager/manager.yaml @@ -26,6 +26,26 @@ spec: labels: control-plane: controller-manager spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux securityContext: runAsNonRoot: true # TODO(user): For common cases that do not require escalating privileges @@ -39,15 +59,15 @@ spec: - command: - /manager args: - - --leader-elect + - --leader-elect + - --health-probe-bind-address=:8081 image: controller:latest name: manager - imagePullPolicy: Never securityContext: allowPrivilegeEscalation: false capabilities: drop: - - "ALL" + - "ALL" livenessProbe: httpGet: path: /healthz diff --git a/pkg/KubeArmorController/config/network-policy/allow-metrics-traffic.yaml b/pkg/KubeArmorController/config/network-policy/allow-metrics-traffic.yaml new file mode 100644 index 0000000000..1d36aba494 --- /dev/null +++ b/pkg/KubeArmorController/config/network-policy/allow-metrics-traffic.yaml @@ -0,0 +1,26 @@ +# This NetworkPolicy allows ingress traffic +# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those +# namespaces are able to gathering data from the metrics endpoint. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + app.kubernetes.io/name: output-dir + app.kubernetes.io/managed-by: kustomize + name: allow-metrics-traffic + namespace: system +spec: + podSelector: + matchLabels: + control-plane: controller-manager + policyTypes: + - Ingress + ingress: + # This allows ingress traffic from any namespace with the label metrics: enabled + - from: + - namespaceSelector: + matchLabels: + metrics: enabled # Only from namespaces with this label + ports: + - port: 8443 + protocol: TCP diff --git a/pkg/KubeArmorController/config/network-policy/kustomization.yaml b/pkg/KubeArmorController/config/network-policy/kustomization.yaml new file mode 100644 index 0000000000..ec0fb5e57d --- /dev/null +++ b/pkg/KubeArmorController/config/network-policy/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- allow-metrics-traffic.yaml diff --git a/pkg/KubeArmorController/config/prometheus/monitor.yaml b/pkg/KubeArmorController/config/prometheus/monitor.yaml index d19136ae71..f287210ef2 100644 --- a/pkg/KubeArmorController/config/prometheus/monitor.yaml +++ b/pkg/KubeArmorController/config/prometheus/monitor.yaml @@ -1,4 +1,3 @@ - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -10,10 +9,19 @@ metadata: spec: endpoints: - path: /metrics - port: https + port: https # Ensure this is the name of the port that exposes HTTPS metrics scheme: https bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token tlsConfig: + # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables + # certificate verification. This poses a significant security risk by making the system vulnerable to + # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between + # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, + # compromising the integrity and confidentiality of the information. + # Please use the following options for secure configurations: + # caFile: /etc/metrics-certs/ca.crt + # certFile: /etc/metrics-certs/tls.crt + # keyFile: /etc/metrics-certs/tls.key insecureSkipVerify: true selector: matchLabels: diff --git a/pkg/KubeArmorController/config/rbac/kubearmorpolicy_editor_role.yaml b/pkg/KubeArmorController/config/rbac/kubearmorpolicy_editor_role.yaml index 5adf72d04e..8bef5dde12 100644 --- a/pkg/KubeArmorController/config/rbac/kubearmorpolicy_editor_role.yaml +++ b/pkg/KubeArmorController/config/rbac/kubearmorpolicy_editor_role.yaml @@ -1,4 +1,4 @@ -# permissions for end users to edit kubearmorpolicies and kubearmorclusterpolicies +# permissions for end users to edit kubearmorpolicies. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8,7 +8,6 @@ rules: - security.kubearmor.com resources: - kubearmorpolicies - - kubearmorclusterpolicies verbs: - create - delete @@ -21,6 +20,5 @@ rules: - security.kubearmor.com resources: - kubearmorpolicies/status - - kubearmorclusterpolicies/status verbs: - get diff --git a/pkg/KubeArmorController/config/rbac/kubearmorpolicy_viewer_role.yaml b/pkg/KubeArmorController/config/rbac/kubearmorpolicy_viewer_role.yaml index 2a0608e474..3c10218373 100644 --- a/pkg/KubeArmorController/config/rbac/kubearmorpolicy_viewer_role.yaml +++ b/pkg/KubeArmorController/config/rbac/kubearmorpolicy_viewer_role.yaml @@ -1,4 +1,4 @@ -# permissions for end users to view kubearmorpolicies and kubearmorclusterpolicies +# permissions for end users to view kubearmorpolicies. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -8,7 +8,6 @@ rules: - security.kubearmor.com resources: - kubearmorpolicies - - kubearmorclusterpolicies verbs: - get - list @@ -17,6 +16,5 @@ rules: - security.kubearmor.com resources: - kubearmorpolicies/status - - kubearmorclusterpolicies/status verbs: - get diff --git a/pkg/KubeArmorController/config/rbac/kustomization.yaml b/pkg/KubeArmorController/config/rbac/kustomization.yaml index 731832a6ac..a5bd299d4d 100644 --- a/pkg/KubeArmorController/config/rbac/kustomization.yaml +++ b/pkg/KubeArmorController/config/rbac/kustomization.yaml @@ -9,10 +9,21 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +# - metrics_auth_role.yaml +# - metrics_auth_role_binding.yaml +# - metrics_reader_role.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. Those roles are +# not used by the Project itself. You can comment the following lines +# if you do not want those helpers be installed with your Project. +- kubearmorhostpolicy_editor_role.yaml +- kubearmorhostpolicy_viewer_role.yaml +- kubearmorpolicy_editor_role.yaml +- kubearmorpolicy_viewer_role.yaml + diff --git a/pkg/KubeArmorController/config/rbac/auth_proxy_role.yaml b/pkg/KubeArmorController/config/rbac/metrics_auth_role.yaml similarity index 90% rename from pkg/KubeArmorController/config/rbac/auth_proxy_role.yaml rename to pkg/KubeArmorController/config/rbac/metrics_auth_role.yaml index 80e1857c59..32d2e4ec6b 100644 --- a/pkg/KubeArmorController/config/rbac/auth_proxy_role.yaml +++ b/pkg/KubeArmorController/config/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: - authentication.k8s.io diff --git a/pkg/KubeArmorController/config/rbac/auth_proxy_role_binding.yaml b/pkg/KubeArmorController/config/rbac/metrics_auth_role_binding.yaml similarity index 79% rename from pkg/KubeArmorController/config/rbac/auth_proxy_role_binding.yaml rename to pkg/KubeArmorController/config/rbac/metrics_auth_role_binding.yaml index ec7acc0a1b..e775d67ff0 100644 --- a/pkg/KubeArmorController/config/rbac/auth_proxy_role_binding.yaml +++ b/pkg/KubeArmorController/config/rbac/metrics_auth_role_binding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount name: controller-manager diff --git a/pkg/KubeArmorController/config/rbac/auth_proxy_client_clusterrole.yaml b/pkg/KubeArmorController/config/rbac/metrics_reader_role.yaml similarity index 100% rename from pkg/KubeArmorController/config/rbac/auth_proxy_client_clusterrole.yaml rename to pkg/KubeArmorController/config/rbac/metrics_reader_role.yaml diff --git a/pkg/KubeArmorController/config/rbac/role.yaml b/pkg/KubeArmorController/config/rbac/role.yaml index 2dfb1f17c6..73578989bf 100644 --- a/pkg/KubeArmorController/config/rbac/role.yaml +++ b/pkg/KubeArmorController/config/rbac/role.yaml @@ -1,79 +1,9 @@ - ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: manager-role rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorclusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorclusterpolicies/status - verbs: - - get - - patch - - update -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorhostpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorhostpolicies/status - verbs: - - get - - patch - - update -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - security.kubearmor.com - resources: - - kubearmorpolicies/status - verbs: - - get - - patch - - update +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "create","delete","update","list", "watch"] diff --git a/pkg/KubeArmorController/config/samples/kustomization.yaml b/pkg/KubeArmorController/config/samples/kustomization.yaml new file mode 100644 index 0000000000..91a6451658 --- /dev/null +++ b/pkg/KubeArmorController/config/samples/kustomization.yaml @@ -0,0 +1,5 @@ +## Append samples of your project ## +resources: +- security_v1_kubearmorpolicy.yaml +- security_v1_kubearmorhostpolicy.yaml +# +kubebuilder:scaffold:manifestskustomizesamples diff --git a/pkg/KubeArmorController/go.mod b/pkg/KubeArmorController/go.mod index 20c689a22e..fecd3366af 100644 --- a/pkg/KubeArmorController/go.mod +++ b/pkg/KubeArmorController/go.mod @@ -1,79 +1,102 @@ module github.com/kubearmor/KubeArmor/pkg/KubeArmorController -go 1.21.0 +go 1.22.0 -toolchain go1.21.12 +toolchain go1.23.3 require ( github.com/go-logr/logr v1.4.2 - github.com/onsi/ginkgo/v2 v2.13.0 - github.com/onsi/gomega v1.30.0 - k8s.io/api v0.29.0 - k8s.io/apiextensions-apiserver v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/client-go v0.29.0 - k8s.io/cri-api v0.29.7 - sigs.k8s.io/controller-runtime v0.15.3 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 + k8s.io/api v0.31.0 + k8s.io/apiextensions-apiserver v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/client-go v0.31.0 + sigs.k8s.io/controller-runtime v0.19.3 sigs.k8s.io/yaml v1.4.0 ) require ( + github.com/antlr4-go/antlr/v4 v4.13.0 // indirect + github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.2 // indirect github.com/evanphx/json-patch v5.7.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.7.0 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect github.com/go-openapi/swag v0.22.7 // indirect - github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect + github.com/google/cel-go v0.20.1 // indirect github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect github.com/google/uuid v1.6.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/imdario/mergo v0.3.16 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.18.0 // indirect - github.com/prometheus/client_model v0.5.0 // indirect - github.com/prometheus/common v0.45.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/client_golang v1.19.1 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/testify v1.9.0 // indirect + github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.26.0 // indirect + golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect golang.org/x/net v0.26.0 // indirect - golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.21.0 // indirect golang.org/x/term v0.21.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/grpc v1.58.3 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/component-base v0.29.0 // indirect - k8s.io/klog/v2 v2.120.0 // indirect - k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect - k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect + k8s.io/apiserver v0.31.0 // indirect + k8s.io/component-base v0.31.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/pkg/KubeArmorController/go.sum b/pkg/KubeArmorController/go.sum index 2ea6eee87b..e616084895 100644 --- a/pkg/KubeArmorController/go.sum +++ b/pkg/KubeArmorController/go.sum @@ -1,23 +1,37 @@ +github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= +github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= -github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= -github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= -github.com/evanphx/json-patch/v5 v5.7.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= @@ -26,32 +40,34 @@ github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdX github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/cel-go v0.20.1 h1:nDx9r8S3L4pE61eDdt8igGj8rf5kjYR3ILxWIpWNi84= +github.com/google/cel-go v0.20.1/go.mod h1:kWcIzTsPX0zmQ+H3TirHstLLf9ep5QTsZBN9u4dOYLg= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU= github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -64,8 +80,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -73,36 +87,59 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= -github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= -github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= -github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= -github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= @@ -110,42 +147,32 @@ go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc h1:mCRnTeVUjcrhlRmO0VK8a6k6Rrf6TF9htwo2pJVSjIU= +golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= -golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= -golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= @@ -154,7 +181,6 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -163,47 +189,49 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= -google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= -google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ= -google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 h1:7whR9kGa5LUwFtpLm2ArCEejtnxlGeLbAyjFY8sGNFw= +google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157/go.mod h1:99sLkeliLXfdj2J75X3Ho+rrVCaJze0uwN7zDDkjPVU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= +google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= -k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= -k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= -k8s.io/cri-api v0.29.7 h1:5X1Fid6oxYsP9/W1NtX0RYUefM2UNwaqfew8z7Pbf/M= -k8s.io/cri-api v0.29.7/go.mod h1:A6pdbjzML2xi9B0Clqn5qt1HJ3Ik12x2j+jv/TkqjRE= -k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= -k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 h1:1Rp/XEKP5uxPs6QrsngEHAxBjaAR78iJRiJq5Fi7LSU= -k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= -k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.15.3 h1:L+t5heIaI3zeejoIyyvLQs5vTVu/67IU2FfisVzFlBc= -sigs.k8s.io/controller-runtime v0.15.3/go.mod h1:kp4jckA4vTx281S/0Yk2LFEEQe67mjg+ev/yknv47Ds= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= +k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= +k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/KubeArmorController/handlers/pod_mutation.go b/pkg/KubeArmorController/handlers/pod_mutation.go index 17b911817d..74d67f6b25 100644 --- a/pkg/KubeArmorController/handlers/pod_mutation.go +++ b/pkg/KubeArmorController/handlers/pod_mutation.go @@ -19,7 +19,7 @@ import ( // PodAnnotator Structure type PodAnnotator struct { Client client.Client - Decoder *admission.Decoder + Decoder admission.Decoder Logger logr.Logger Cluster *types.Cluster } diff --git a/pkg/KubeArmorController/controllers/kubearmorclusterpolicy_controller.go b/pkg/KubeArmorController/internal/controller/kubearmorclusterpolicy_controller.go similarity index 100% rename from pkg/KubeArmorController/controllers/kubearmorclusterpolicy_controller.go rename to pkg/KubeArmorController/internal/controller/kubearmorclusterpolicy_controller.go diff --git a/pkg/KubeArmorController/controllers/kubearmorhostpolicy_controller.go b/pkg/KubeArmorController/internal/controller/kubearmorhostpolicy_controller.go similarity index 100% rename from pkg/KubeArmorController/controllers/kubearmorhostpolicy_controller.go rename to pkg/KubeArmorController/internal/controller/kubearmorhostpolicy_controller.go diff --git a/pkg/KubeArmorController/controllers/kubearmorpolicy_controller.go b/pkg/KubeArmorController/internal/controller/kubearmorpolicy_controller.go similarity index 100% rename from pkg/KubeArmorController/controllers/kubearmorpolicy_controller.go rename to pkg/KubeArmorController/internal/controller/kubearmorpolicy_controller.go diff --git a/pkg/KubeArmorController/controllers/podrefresh_controller.go b/pkg/KubeArmorController/internal/controller/podrefresh_controller.go similarity index 100% rename from pkg/KubeArmorController/controllers/podrefresh_controller.go rename to pkg/KubeArmorController/internal/controller/podrefresh_controller.go diff --git a/pkg/KubeArmorController/controllers/suite_test.go b/pkg/KubeArmorController/internal/controller/suite_test.go similarity index 100% rename from pkg/KubeArmorController/controllers/suite_test.go rename to pkg/KubeArmorController/internal/controller/suite_test.go diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index c6698c2286..d4e90ac821 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -52,6 +52,8 @@ type KubeArmorConfigSpec struct { // +kubebuilder:validation:optional KubeArmorControllerImage ImageSpec `json:"kubearmorControllerImage,omitempty"` // +kubebuilder:validation:optional + // +kubebuilder:deprecatedversion:warning="kube-rbac-proxy has been deprecated with controller authz" + // Deprecated: This type would be removed in one of the upcoming releases. KubeRbacProxyImage ImageSpec `json:"kubeRbacProxyImage,omitempty"` // +kubebuilder:validation:optional Tls Tls `json:"tls,omitempty"` diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index f84e360454..300d37a5de 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -104,9 +104,6 @@ var ( KubeArmorControllerName string = "kubearmor-controller" KubeArmorControllerImage string = "kubearmor/kubearmor-controller:latest" KubeArmorControllerImagePullPolicy string = "Always" - KubeRbacProxyName string = "kube-rbac-proxy" - KubeRbacProxyImage string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0" - KubeRbacProxyImagePullPolicy string = "Always" SeccompProfile = "kubearmor-seccomp.json" SeccompInitProfile = "kubearmor-init-seccomp.json" @@ -450,11 +447,6 @@ func GetApplicationImage(app string) string { return image } return KubeArmorControllerImage - case KubeRbacProxyName: - if image := os.Getenv("RELATED_IMAGE_KUBE_RBAC_PROXY"); image != "" { - return image - } - return KubeRbacProxyImage case SnitchName: if image := os.Getenv("RELATED_IMAGE_KUBEARMOR_SNITCH"); image != "" { return image diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index 1e1c4434ec..fecd7ba479 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: kubearmorconfigs.operator.kubearmor.com spec: group: operator.kubearmor.com @@ -26,20 +24,27 @@ spec: description: KubeArmorConfig is the Schema for the KubeArmorConfigs API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: KubeArmorConfigSpec defines the desired state of KubeArmorConfig properties: + alertThrottling: + type: boolean defaultCapabilitiesPosture: enum: - audit @@ -64,7 +69,8 @@ spec: enableStdOutMsgs: type: boolean kubeRbacProxyImage: - description: ImageSpec defines the image specifications + description: 'Deprecated: This type would be removed in one of the + upcoming releases.' properties: image: type: string @@ -128,12 +134,10 @@ spec: - Never type: string type: object - seccompEnabled: - type: boolean - alertThrottling: - type: boolean maxAlertPerSec: type: integer + seccompEnabled: + type: boolean throttleSec: type: integer tls: @@ -157,9 +161,9 @@ spec: message: type: string phase: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state - of cluster Important: Run "make" to regenerate code after modifying - this file' + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file type: string type: object type: object @@ -167,9 +171,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/pkg/KubeArmorOperator/go.mod b/pkg/KubeArmorOperator/go.mod index 73f40ccce3..49e1e7e942 100644 --- a/pkg/KubeArmorOperator/go.mod +++ b/pkg/KubeArmorOperator/go.mod @@ -1,8 +1,8 @@ module github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator -go 1.21.0 +go 1.22.0 -toolchain go1.21.12 +toolchain go1.23.3 replace ( github.com/kubearmor/KubeArmor/KubeArmor => ../../KubeArmor @@ -14,23 +14,23 @@ require ( github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20240110164432-c2c1b121cd94 github.com/kubearmor/KubeArmor/deployments v0.0.0-20230809083125-e2d5d5709d2c github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240709192358-fc2173d2587c - github.com/spf13/cobra v1.8.0 + github.com/spf13/cobra v1.8.1 go.uber.org/zap v1.26.0 - k8s.io/api v0.29.0 - k8s.io/apiextensions-apiserver v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/client-go v0.29.0 - k8s.io/klog/v2 v2.120.0 + k8s.io/api v0.31.0 + k8s.io/apiextensions-apiserver v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/client-go v0.31.0 + k8s.io/klog/v2 v2.130.1 k8s.io/kubectl v0.27.4 - sigs.k8s.io/controller-runtime v0.15.3 + sigs.k8s.io/controller-runtime v0.19.3 ) require ( github.com/cilium/ebpf v0.12.3 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.2 // indirect - github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-openapi/jsonpointer v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.4 // indirect @@ -40,7 +40,6 @@ require ( github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.16 // indirect @@ -53,7 +52,6 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.14.0 // indirect github.com/pelletier/go-toml/v2 v2.1.1 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -64,22 +62,24 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.18.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect + github.com/x448/float16 v0.8.4 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect golang.org/x/net v0.27.0 // indirect - golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/oauth2 v0.21.0 // indirect golang.org/x/sys v0.22.0 // indirect golang.org/x/term v0.22.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect - k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect + k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect + k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect diff --git a/pkg/KubeArmorOperator/go.sum b/pkg/KubeArmorOperator/go.sum index e34d49cfac..2aa11ee951 100644 --- a/pkg/KubeArmorOperator/go.sum +++ b/pkg/KubeArmorOperator/go.sum @@ -1,18 +1,18 @@ github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4= github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM= -github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.2 h1:1onLa9DcsMYO9P+CXaL0dStDqQ2EHHXLiz+BtnqkLAU= github.com/emicklei/go-restful/v3 v3.11.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= -github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= @@ -21,8 +21,9 @@ github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdX github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= github.com/go-openapi/swag v0.22.9 h1:XX2DssF+mQKM2DHsbgZK74y/zj4mo9I99+89xUmuZCE= github.com/go-openapi/swag v0.22.9/go.mod h1:3/OXnFfnMAwBD099SwYRk7GD3xOrr1iL7d/XNLXVVwE= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= -github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= @@ -35,8 +36,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20230323073829-e72429f035bd h1:r8yyd+DJDmsUhGrRBxH5Pj7KeFK5l+Y3FsgT8keqKtk= -github.com/google/pprof v0.0.0-20230323073829-e72429f035bd/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= @@ -68,10 +69,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= -github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI= github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -79,8 +80,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= @@ -92,8 +93,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= -github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= -github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= +github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= +github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= @@ -109,10 +110,12 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= -go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= @@ -130,8 +133,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= -golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -168,6 +171,8 @@ google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWn gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= @@ -178,24 +183,24 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= -k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/klog/v2 v2.120.0 h1:z+q5mfovBj1fKFxiRzsa2DsJLPIVMk/KFL81LMOfK+8= -k8s.io/klog/v2 v2.120.0/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 h1:1Rp/XEKP5uxPs6QrsngEHAxBjaAR78iJRiJq5Fi7LSU= -k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910/go.mod h1:Pa1PvrP7ACSkuX6I7KYomY6cmMA0Tx86waBhDUgoKPw= +k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= +k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= +k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= +k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= +k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= +k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= k8s.io/kubectl v0.27.4 h1:RV1TQLIbtL34+vIM+W7HaS3KfAbqvy9lWn6pWB9els4= k8s.io/kubectl v0.27.4/go.mod h1:qtc1s3BouB9KixJkriZMQqTsXMc+OAni6FeKAhq7q14= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= -k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.15.3 h1:L+t5heIaI3zeejoIyyvLQs5vTVu/67IU2FfisVzFlBc= -sigs.k8s.io/controller-runtime v0.15.3/go.mod h1:kp4jckA4vTx281S/0Yk2LFEEQe67mjg+ev/yknv47Ds= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw= +sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index fd1e5af0af..8a5ac87242 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -423,8 +423,6 @@ func (clusterWatcher *ClusterWatcher) UpdateKubeArmorImages(images []string) err if container.Name == "manager" { (*containers)[i].Image = common.GetApplicationImage(common.KubeArmorControllerName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorControllerImagePullPolicy) - } else { - (*containers)[i].Image = common.GetApplicationImage(common.KubeRbacProxyName) } } _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), controller, v1.UpdateOptions{}) @@ -542,11 +540,6 @@ func UpdateImages(config *opv1.KubeArmorConfigSpec) []string { UpdateIfDefinedAndUpdated(&common.KubeArmorControllerImagePullPolicy, config.KubeArmorControllerImage.ImagePullPolicy) { updatedImages = append(updatedImages, "controller") } - // if kube-rbac-proxy image or imagePullPolicy got updated - if UpdateIfDefinedAndUpdated(&common.KubeRbacProxyImage, config.KubeRbacProxyImage.Image) || - UpdateIfDefinedAndUpdated(&common.KubeRbacProxyImagePullPolicy, config.KubeRbacProxyImage.ImagePullPolicy) { - updatedImages = append(updatedImages, "rbac") - } return updatedImages } diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index 499bf3f663..64190111ee 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -483,14 +483,12 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { addOwnership(genSnitchRole()).(*rbacv1.ClusterRole), addOwnership(deployments.GetClusterRole()).(*rbacv1.ClusterRole), addOwnership(deployments.GetRelayClusterRole()).(*rbacv1.ClusterRole), - addOwnership(deployments.GetKubeArmorControllerProxyRole()).(*rbacv1.ClusterRole), addOwnership(deployments.GetKubeArmorControllerClusterRole()).(*rbacv1.ClusterRole), } clusterRoleBindings := []*rbacv1.ClusterRoleBinding{ addOwnership(deployments.GetClusterRoleBinding(common.Namespace)).(*rbacv1.ClusterRoleBinding), addOwnership(deployments.GetRelayClusterRoleBinding(common.Namespace)).(*rbacv1.ClusterRoleBinding), addOwnership(deployments.GetKubeArmorControllerClusterRoleBinding(common.Namespace)).(*rbacv1.ClusterRoleBinding), - addOwnership(deployments.GetKubeArmorControllerProxyRoleBinding(common.Namespace)).(*rbacv1.ClusterRoleBinding), addOwnership(genSnitchRoleBinding()).(*rbacv1.ClusterRoleBinding), } roles := []*rbacv1.Role{ @@ -501,7 +499,6 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { } svcs := []*corev1.Service{ - addOwnership(deployments.GetKubeArmorControllerMetricsService(common.Namespace)).(*corev1.Service), addOwnership(deployments.GetKubeArmorControllerWebhookService(common.Namespace)).(*corev1.Service), addOwnership(deployments.GetRelayService(common.Namespace)).(*corev1.Service), } @@ -566,9 +563,6 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { if container.Name == "manager" { (*containers)[i].Image = common.GetApplicationImage(common.KubeArmorControllerName) (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeArmorControllerImagePullPolicy) - } else { - (*containers)[i].Image = common.GetApplicationImage(common.KubeRbacProxyName) - (*containers)[i].ImagePullPolicy = corev1.PullPolicy(common.KubeRbacProxyImagePullPolicy) } } relayServer.Spec.Template.Spec.Containers[0].Image = common.GetApplicationImage(common.KubeArmorRelayName)